Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_163.exe

Overview

General Information

Sample name:LisectAVT_2403002A_163.exe
Analysis ID:1482474
MD5:a472afb64b5c6f61ac63639fbd778001
SHA1:def8afce906aa4094c8a564ae9b9c886955c16b3
SHA256:9582e561631b18bad3ef23b24a57636ef1d48b05535962dc0b19ab27e9351276
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_163.exe (PID: 3140 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_163.exe" MD5: A472AFB64B5C6F61AC63639FBD778001)
    • schtasks.exe (PID: 2668 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3636 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 5044 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A472AFB64B5C6F61AC63639FBD778001)
  • MPGPH131.exe (PID: 5012 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A472AFB64B5C6F61AC63639FBD778001)
  • RageMP131.exe (PID: 7252 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A472AFB64B5C6F61AC63639FBD778001)
  • RageMP131.exe (PID: 7568 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A472AFB64B5C6F61AC63639FBD778001)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe, ProcessId: 3140, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T23:24:33.785844+0200
            SID:2046269
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:39.989292+0200
            SID:2046269
            Source Port:49707
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:25:17.804075+0200
            SID:2022930
            Source Port:443
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:37.004080+0200
            SID:2049060
            Source Port:49707
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:30.824970+0200
            SID:2049060
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:48.317488+0200
            SID:2046269
            Source Port:49715
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:33.786068+0200
            SID:2046269
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:25.287527+0200
            SID:2049060
            Source Port:49704
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:39.689012+0200
            SID:2022930
            Source Port:443
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:30.827995+0200
            SID:2049060
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:24:28.254825+0200
            SID:2046269
            Source Port:49704
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_163.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_163.exeJoe Sandbox ML: detected
            Source: LisectAVT_2403002A_163.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.233.132.74:58709
            Source: Joe Sandbox ViewIP Address: 193.233.132.74 193.233.132.74
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_0003E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,0_2_0003E0A0
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_163.exe, 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_163.exe, 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4499442748.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4499466734.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4499103991.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4498783291.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4499262309.00000000011AB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT

            System Summary

            barindex
            PE file contains section with special chars
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_001198240_2_00119824
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000A98800_2_000A9880
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000950B00_2_000950B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000291A00_2_000291A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000973F00_2_000973F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_0010646A0_2_0010646A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_001084A00_2_001084A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_00102CE00_2_00102CE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000224F00_2_000224F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000A65500_2_000A6550
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_00028D700_2_00028D70
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000A55B00_2_000A55B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_0010BEAF0_2_0010BEAF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_00039F500_2_00039F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002C98246_2_002C9824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002450B06_2_002450B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002598806_2_00259880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001D91A06_2_001D91A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002473F06_2_002473F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002B646A6_2_002B646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002B84A06_2_002B84A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002B2CE06_2_002B2CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001D24F06_2_001D24F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001D8D706_2_001D8D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002565506_2_00256550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002555B06_2_002555B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002BBEAF6_2_002BBEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001E9F506_2_001E9F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002CF7716_2_002CF771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002C98247_2_002C9824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002450B07_2_002450B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002598807_2_00259880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001D91A07_2_001D91A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002473F07_2_002473F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002B646A7_2_002B646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002B84A07_2_002B84A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002B2CE07_2_002B2CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001D24F07_2_001D24F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001D8D707_2_001D8D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002565507_2_00256550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002555B07_2_002555B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002BBEAF7_2_002BBEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001E9F507_2_001E9F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_002CF7717_2_002CF771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_002298248_2_00229824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001B98808_2_001B9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001A50B08_2_001A50B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001391A08_2_001391A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001A73F08_2_001A73F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0021646A8_2_0021646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_002184A08_2_002184A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00212CE08_2_00212CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001324F08_2_001324F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001B65508_2_001B6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00138D708_2_00138D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_001B55B08_2_001B55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0021BEAF8_2_0021BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00149F508_2_00149F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_0022F7718_2_0022F771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0022982410_2_00229824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001B988010_2_001B9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001A50B010_2_001A50B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001391A010_2_001391A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001A73F010_2_001A73F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0021646A10_2_0021646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_002184A010_2_002184A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00212CE010_2_00212CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001324F010_2_001324F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001B655010_2_001B6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00138D7010_2_00138D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_001B55B010_2_001B55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0021BEAF10_2_0021BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00149F5010_2_00149F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_0022F77110_2_0022F771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 002AFED0 appears 52 times
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: String function: 0020FED0 appears 52 times
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_163.exe
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4499034537.0000000000C90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_163.exe
            Source: LisectAVT_2403002A_163.exeBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_163.exe
            Source: LisectAVT_2403002A_163.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: LisectAVT_2403002A_163.exeStatic PE information: Section: ZLIB complexity 0.9988822375541125
            Source: LisectAVT_2403002A_163.exeStatic PE information: Section: jgtpuhbl ZLIB complexity 0.9899673103726526
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9988822375541125
            Source: RageMP131.exe.0.drStatic PE information: Section: jgtpuhbl ZLIB complexity 0.9899673103726526
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9988822375541125
            Source: MPGPH131.exe.0.drStatic PE information: Section: jgtpuhbl ZLIB complexity 0.9899673103726526
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@0/1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: nI-6_2_002D48C0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: nI-7_2_002D48C0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCommand line argument: nI#8_2_002348C0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCommand line argument: nI#10_2_002348C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_163.exe, 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_163.exe, 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: LisectAVT_2403002A_163.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe "C:\Users\user\Desktop\LisectAVT_2403002A_163.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: LisectAVT_2403002A_163.exeStatic file information: File size 2345480 > 1048576
            Source: LisectAVT_2403002A_163.exeStatic PE information: Raw size of jgtpuhbl is bigger than: 0x100000 < 0x1aa000

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeUnpacked PE file: 0.2.LisectAVT_2403002A_163.exe.20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW; vs :ER;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.1d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW; vs :ER;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 7.2.MPGPH131.exe.1d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW; vs :ER;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 8.2.RageMP131.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW; vs :ER;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 10.2.RageMP131.exe.130000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW; vs :ER;.rsrc:W;.idata :W; :EW;jgtpuhbl:EW;ikxokzqh:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: ikxokzqh
            Source: LisectAVT_2403002A_163.exeStatic PE information: real checksum: 0x242f5b should be: 0x242f63
            Source: RageMP131.exe.0.drStatic PE information: real checksum: 0x242f5b should be: 0x242f63
            Source: MPGPH131.exe.0.drStatic PE information: real checksum: 0x242f5b should be: 0x242f63
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name: jgtpuhbl
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name: ikxokzqh
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: jgtpuhbl
            Source: RageMP131.exe.0.drStatic PE information: section name: ikxokzqh
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: jgtpuhbl
            Source: MPGPH131.exe.0.drStatic PE information: section name: ikxokzqh
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C904D push ebp; mov dword ptr [esp], 3FDD6DE1h0_2_005C9113
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C904D push 384CB050h; mov dword ptr [esp], ebx0_2_005C9149
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C904D push 5C863602h; mov dword ptr [esp], ebx0_2_005C918C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C904D push 05098334h; mov dword ptr [esp], esi0_2_005C91BA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C9000 push edi; mov dword ptr [esp], 53F78224h0_2_005C9001
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C9000 push edi; mov dword ptr [esp], edx0_2_005C9041
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C9000 push ebp; mov dword ptr [esp], 3FDD6DE1h0_2_005C9113
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C9000 push 384CB050h; mov dword ptr [esp], ebx0_2_005C9149
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C9000 push 5C863602h; mov dword ptr [esp], ebx0_2_005C918C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C9000 push 05098334h; mov dword ptr [esp], esi0_2_005C91BA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C91CD push 491E841Dh; mov dword ptr [esp], eax0_2_005C91F3
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C91CD push esi; mov dword ptr [esp], eax0_2_005C92D1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_005C91CD push edi; mov dword ptr [esp], eax0_2_005C92FA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000FFA97 push ecx; ret 0_2_000FFAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0077904D push ebp; mov dword ptr [esp], 3FDD6DE1h6_2_00779113
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0077904D push 384CB050h; mov dword ptr [esp], ebx6_2_00779149
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0077904D push 5C863602h; mov dword ptr [esp], ebx6_2_0077918C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0077904D push 05098334h; mov dword ptr [esp], esi6_2_007791BA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00779000 push edi; mov dword ptr [esp], 53F78224h6_2_00779001
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00779000 push edi; mov dword ptr [esp], edx6_2_00779041
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00779000 push ebp; mov dword ptr [esp], 3FDD6DE1h6_2_00779113
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00779000 push 384CB050h; mov dword ptr [esp], ebx6_2_00779149
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00779000 push 5C863602h; mov dword ptr [esp], ebx6_2_0077918C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00779000 push 05098334h; mov dword ptr [esp], esi6_2_007791BA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_007791CD push 491E841Dh; mov dword ptr [esp], eax6_2_007791F3
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_007791CD push esi; mov dword ptr [esp], eax6_2_007792D1
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_007791CD push edi; mov dword ptr [esp], eax6_2_007792FA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_002AFA97 push ecx; ret 6_2_002AFAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0077904D push ebp; mov dword ptr [esp], 3FDD6DE1h7_2_00779113
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0077904D push 384CB050h; mov dword ptr [esp], ebx7_2_00779149
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0077904D push 5C863602h; mov dword ptr [esp], ebx7_2_0077918C
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name: entropy: 7.977067116075123
            Source: LisectAVT_2403002A_163.exeStatic PE information: section name: jgtpuhbl entropy: 7.950675403597083
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.977067116075123
            Source: RageMP131.exe.0.drStatic PE information: section name: jgtpuhbl entropy: 7.950675403597083
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.977067116075123
            Source: MPGPH131.exe.0.drStatic PE information: section name: jgtpuhbl entropy: 7.950675403597083
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_6-18525
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_8-21688
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-20219
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 1602B5 second address: 1602BF instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBA56586D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 1602BF second address: 1602C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E531E second address: 2E5324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E5324 second address: 2E5339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FFBA4B43D9Bh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E44EF second address: 2E44F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E44F4 second address: 2E44FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E44FA second address: 2E4500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E4684 second address: 2E468E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E4A9D second address: 2E4AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007FFBA56586D6h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E4AB9 second address: 2E4AD4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FFBA4B43DA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E4AD4 second address: 2E4ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FFBA56586D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2DAEE6 second address: 2DAEFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FFBA4B43D9Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E82BD second address: 2E82D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA56586E5h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E82D6 second address: 2E82DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E82DA second address: 2E82F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFBA56586E4h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E82F9 second address: 2E8328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FFBA4B43D96h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push ecx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 pop ecx 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d jp 00007FFBA4B43D96h 0x00000023 jmp 00007FFBA4B43D9Bh 0x00000028 popad 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E839E second address: 2E83A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E83A4 second address: 2E83A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E84F4 second address: 2E84FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E84FA second address: 2E84FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E84FE second address: 2E854C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edi 0x0000000c call 00007FFBA56586D8h 0x00000011 pop edi 0x00000012 mov dword ptr [esp+04h], edi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc edi 0x0000001f push edi 0x00000020 ret 0x00000021 pop edi 0x00000022 ret 0x00000023 mov dx, 734Fh 0x00000027 mov dword ptr [ebp+122D1936h], edx 0x0000002d push 00000000h 0x0000002f mov dword ptr [ebp+122D21C3h], edi 0x00000035 push D79DC504h 0x0000003a push eax 0x0000003b push edx 0x0000003c js 00007FFBA56586D8h 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E854C second address: 2E85B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 28623B7Ch 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FFBA4B43D98h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 and edi, dword ptr [ebp+122D227Fh] 0x0000002f push 00000003h 0x00000031 push ecx 0x00000032 mov cx, 6852h 0x00000036 pop edi 0x00000037 xor dword ptr [ebp+122D182Ah], ecx 0x0000003d push 00000000h 0x0000003f jmp 00007FFBA4B43DA2h 0x00000044 push 00000003h 0x00000046 or edi, dword ptr [ebp+122D38F2h] 0x0000004c push A696F425h 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 push ebx 0x00000055 pop ebx 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E85B8 second address: 2E85CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E85CE second address: 2E8600 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 6696F425h 0x0000000e mov edx, esi 0x00000010 lea ebx, dword ptr [ebp+1245C21Ch] 0x00000016 jmp 00007FFBA4B43DA6h 0x0000001b push eax 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2E8600 second address: 2E8604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 309BBC second address: 309BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 307A46 second address: 307A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ebx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 307A51 second address: 307A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 307A59 second address: 307A9D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFBA56586E7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e jmp 00007FFBA56586DEh 0x00000013 pushad 0x00000014 jmp 00007FFBA56586E3h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 307A9D second address: 307AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FFBA4B43D96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 307C24 second address: 307C31 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBA56586D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 308188 second address: 308192 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBA4B43D96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 308192 second address: 308198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 308198 second address: 3081B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FFBA4B43D9Eh 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3081B0 second address: 3081BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFBA56586D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3089B6 second address: 3089D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FFBA4B43D96h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3089D8 second address: 3089DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3089DC second address: 3089E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 308B10 second address: 308B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 308B14 second address: 308B18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 308B18 second address: 308B1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2FFC5A second address: 2FFC78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBA4B43DA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2FFC78 second address: 2FFC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3093F8 second address: 309408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 jg 00007FFBA4B43D9Eh 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 309542 second address: 309546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 309546 second address: 30954A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 30954A second address: 309578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FFBA56586E3h 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FFBA56586D6h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 309578 second address: 309584 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 309584 second address: 30959A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFBA56586D6h 0x0000000a jmp 00007FFBA56586DBh 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 30959A second address: 3095B6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FFBA4B43DA7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 30AFBC second address: 30AFC6 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBA56586D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 30AFC6 second address: 30AFCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 30BF94 second address: 30BF9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2D28D4 second address: 2D28E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFBA4B43D96h 0x0000000a pushad 0x0000000b popad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2D28E8 second address: 2D28ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 315180 second address: 315191 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFBA4B43D96h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 315191 second address: 315195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 315195 second address: 31519B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31519B second address: 3151A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3151A7 second address: 3151AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3151AD second address: 3151B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FFBA56586D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31455C second address: 314561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 314561 second address: 3145A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FFBA56586E9h 0x0000000a jmp 00007FFBA56586E5h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnl 00007FFBA56586D6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3145A1 second address: 3145BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3145BB second address: 3145C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3145C0 second address: 3145C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3145C6 second address: 3145CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 314701 second address: 314712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FFBA4B43D96h 0x00000009 jng 00007FFBA4B43D96h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31482C second address: 314831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31497C second address: 3149CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FFBA4B43DA9h 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FFBA4B43DA1h 0x00000017 pop ecx 0x00000018 jmp 00007FFBA4B43DA9h 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 314FF9 second address: 315001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3170EF second address: 317101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FFBA4B43D9Ch 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31715F second address: 31717B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 317574 second address: 317579 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31765D second address: 317686 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FFBA56586D6h 0x00000009 jmp 00007FFBA56586E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 317D18 second address: 317D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 317DF0 second address: 317DF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3186DE second address: 318767 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FFBA4B43D9Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e cmc 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push eax 0x00000014 call 00007FFBA4B43D98h 0x00000019 pop eax 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc eax 0x00000027 push eax 0x00000028 ret 0x00000029 pop eax 0x0000002a ret 0x0000002b mov dword ptr [ebp+122D29BFh], esi 0x00000031 pushad 0x00000032 mov dword ptr [ebp+122D1A60h], eax 0x00000038 mov dword ptr [ebp+122D277Bh], ebx 0x0000003e popad 0x0000003f push 00000000h 0x00000041 add dword ptr [ebp+122D22E1h], ecx 0x00000047 push eax 0x00000048 pushad 0x00000049 pushad 0x0000004a jnl 00007FFBA4B43D96h 0x00000050 jmp 00007FFBA4B43D9Ch 0x00000055 popad 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007FFBA4B43DA9h 0x0000005d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2CA1C7 second address: 2CA21B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBA56586D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FFBA56586E2h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FFBA56586DDh 0x00000019 popad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007FFBA56586E2h 0x00000023 pushad 0x00000024 jo 00007FFBA56586D6h 0x0000002a jnc 00007FFBA56586D6h 0x00000030 push esi 0x00000031 pop esi 0x00000032 popad 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 319018 second address: 319025 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31A851 second address: 31A855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31B8FF second address: 31B95F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov dword ptr [esp], eax 0x0000000a push eax 0x0000000b mov esi, 48738222h 0x00000010 pop esi 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FFBA4B43D98h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 0000001Ch 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov esi, dword ptr [ebp+122D3966h] 0x00000033 mov di, dx 0x00000036 push 00000000h 0x00000038 mov si, 765Ch 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FFBA4B43DA6h 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31B038 second address: 31B041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31B041 second address: 31B045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31C3A5 second address: 31C3BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31E3AD second address: 31E420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007FFBA4B43D98h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 jno 00007FFBA4B43D9Ch 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FFBA4B43D98h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Ah 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 movsx edi, ax 0x00000046 push 00000000h 0x00000048 mov edi, dword ptr [ebp+122D3942h] 0x0000004e xchg eax, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 push ebx 0x00000052 jmp 00007FFBA4B43D9Eh 0x00000057 pop ebx 0x00000058 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31EF14 second address: 31EF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31EF18 second address: 31EF52 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FFBA4B43D98h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000014h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov si, FE8Ah 0x0000002a push 00000000h 0x0000002c jl 00007FFBA4B43D97h 0x00000032 cmc 0x00000033 push eax 0x00000034 push esi 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 323B39 second address: 323B3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 324A14 second address: 324A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 324A1D second address: 324AB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FFBA56586D8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 jmp 00007FFBA56586E0h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edx 0x0000002f call 00007FFBA56586D8h 0x00000034 pop edx 0x00000035 mov dword ptr [esp+04h], edx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc edx 0x00000042 push edx 0x00000043 ret 0x00000044 pop edx 0x00000045 ret 0x00000046 jmp 00007FFBA56586DFh 0x0000004b mov edi, dword ptr [ebp+122D3205h] 0x00000051 push 00000000h 0x00000053 or ebx, dword ptr [ebp+122D390Eh] 0x00000059 push eax 0x0000005a push edi 0x0000005b pushad 0x0000005c jmp 00007FFBA56586E0h 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 324C4E second address: 324C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 324C52 second address: 324C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 324C58 second address: 324C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FFBA4B43D96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 324C62 second address: 324CEE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dword ptr [ebp+122D1ED9h], ecx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FFBA56586D8h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 ja 00007FFBA56586DEh 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007FFBA56586D8h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 mov eax, dword ptr [ebp+122D0321h] 0x0000005f jmp 00007FFBA56586DEh 0x00000064 push FFFFFFFFh 0x00000066 push edi 0x00000067 mov di, ax 0x0000006a pop ebx 0x0000006b nop 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 326BA4 second address: 326BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43DA2h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 326BBB second address: 326C45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jnc 00007FFBA56586D6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov bl, cl 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FFBA56586D8h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jp 00007FFBA56586DCh 0x00000033 call 00007FFBA56586E2h 0x00000038 xor ebx, dword ptr [ebp+122D1B94h] 0x0000003e pop ebx 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push esi 0x00000044 call 00007FFBA56586D8h 0x00000049 pop esi 0x0000004a mov dword ptr [esp+04h], esi 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc esi 0x00000057 push esi 0x00000058 ret 0x00000059 pop esi 0x0000005a ret 0x0000005b cld 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 js 00007FFBA56586D6h 0x00000066 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 327DB6 second address: 327DBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 326E86 second address: 326E8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 326E8A second address: 326E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 328DA9 second address: 328DAE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 329C5C second address: 329CF9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFBA4B43D9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FFBA4B43D98h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FFBA4B43D98h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000018h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov dword ptr [ebp+122D1DF0h], eax 0x00000049 add dword ptr [ebp+1246EAA4h], edi 0x0000004f push 00000000h 0x00000051 push 00000000h 0x00000053 push edi 0x00000054 call 00007FFBA4B43D98h 0x00000059 pop edi 0x0000005a mov dword ptr [esp+04h], edi 0x0000005e add dword ptr [esp+04h], 00000016h 0x00000066 inc edi 0x00000067 push edi 0x00000068 ret 0x00000069 pop edi 0x0000006a ret 0x0000006b and bx, 07D1h 0x00000070 mov edi, 62C3974Bh 0x00000075 push eax 0x00000076 pushad 0x00000077 push eax 0x00000078 push edx 0x00000079 jmp 00007FFBA4B43D9Bh 0x0000007e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32AB97 second address: 32AB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32AD64 second address: 32AE0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFBA4B43D96h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebp 0x00000012 call 00007FFBA4B43D98h 0x00000017 pop ebp 0x00000018 mov dword ptr [esp+04h], ebp 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebp 0x00000025 push ebp 0x00000026 ret 0x00000027 pop ebp 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007FFBA4B43D98h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 0000001Ah 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a jmp 00007FFBA4B43D9Ch 0x0000004f mov dword ptr fs:[00000000h], esp 0x00000056 mov dword ptr [ebp+122D1895h], eax 0x0000005c mov eax, dword ptr [ebp+122D0AB1h] 0x00000062 sub edi, 47259E6Dh 0x00000068 push FFFFFFFFh 0x0000006a call 00007FFBA4B43DA4h 0x0000006f mov ebx, dword ptr [ebp+122D233Eh] 0x00000075 pop edi 0x00000076 mov bx, dx 0x00000079 nop 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d jne 00007FFBA4B43D96h 0x00000083 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32CA86 second address: 32CA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FFBA56586D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32CA90 second address: 32CADA instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFBA4B43D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jng 00007FFBA4B43DA8h 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D2821h], esi 0x0000001a push 00000000h 0x0000001c clc 0x0000001d push 00000000h 0x0000001f sbb edi, 63CCE357h 0x00000025 xchg eax, esi 0x00000026 jmp 00007FFBA4B43D9Ch 0x0000002b push eax 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 328F27 second address: 328F2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32BCF5 second address: 32BCFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32EB5F second address: 32EB64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32DCB8 second address: 32DCD1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007FFBA4B43D96h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jnl 00007FFBA4B43D96h 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32ECD8 second address: 32ECDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32ECDC second address: 32ED66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp], eax 0x0000000d push dword ptr fs:[00000000h] 0x00000014 jp 00007FFBA4B43D9Ch 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 push 00000000h 0x00000023 push edx 0x00000024 call 00007FFBA4B43D98h 0x00000029 pop edx 0x0000002a mov dword ptr [esp+04h], edx 0x0000002e add dword ptr [esp+04h], 00000016h 0x00000036 inc edx 0x00000037 push edx 0x00000038 ret 0x00000039 pop edx 0x0000003a ret 0x0000003b mov eax, dword ptr [ebp+122D0191h] 0x00000041 mov bh, D5h 0x00000043 push FFFFFFFFh 0x00000045 push 00000000h 0x00000047 push esi 0x00000048 call 00007FFBA4B43D98h 0x0000004d pop esi 0x0000004e mov dword ptr [esp+04h], esi 0x00000052 add dword ptr [esp+04h], 0000001Bh 0x0000005a inc esi 0x0000005b push esi 0x0000005c ret 0x0000005d pop esi 0x0000005e ret 0x0000005f stc 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FFBA4B43D9Ah 0x00000068 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 32ED66 second address: 32ED6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 336252 second address: 33625D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33625D second address: 336263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 339355 second address: 33935A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33E9C4 second address: 33E9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33E9CA second address: 33E9CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33E9CF second address: 33E9EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA56586E7h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33E9EA second address: 33EA0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Bh 0x00000007 jmp 00007FFBA4B43D9Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33EA0E second address: 33EA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 33EA12 second address: 33EA16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2C6AE3 second address: 2C6AF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DCh 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2C6AF6 second address: 2C6AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3400B2 second address: 3400D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586E7h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3400D4 second address: 340102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FFBA4B43D9Dh 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 340D24 second address: 340D2A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 340D2A second address: 340D35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FFBA4B43D96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 340F20 second address: 340F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 347934 second address: 347942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FFBA4B43D96h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3470AA second address: 3470AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3470AE second address: 3470C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43DA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3470C8 second address: 3470D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFBA56586D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 347391 second address: 347397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3474C6 second address: 3474E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBA56586D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FFBA56586DFh 0x00000011 js 00007FFBA56586DEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34F7E2 second address: 34F7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34F7E8 second address: 34F80B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFBA56586D6h 0x00000008 jmp 00007FFBA56586E4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34F80B second address: 34F816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34F816 second address: 34F834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFBA56586E7h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34F834 second address: 34F866 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jne 00007FFBA4B43D96h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFBA4B43D9Bh 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34FB06 second address: 34FB2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FFBA56586E2h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34FB2A second address: 34FB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 34FFED second address: 34FFFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35024D second address: 35025F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBA4B43D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FFBA4B43D98h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3503D9 second address: 3503DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3503DD second address: 3503E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3503E8 second address: 3503EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3503EC second address: 3503F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3507E5 second address: 3507EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3507EB second address: 3507F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3507F1 second address: 3507F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35721C second address: 357233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43DA3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 355D06 second address: 355D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 355D12 second address: 355D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FFBA4B43D9Ah 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 355D25 second address: 355D33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586DAh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35606A second address: 35606E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35606E second address: 35607E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007FFBA56586D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35607E second address: 356082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 356082 second address: 356095 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FFBA56586D6h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 356095 second address: 3560BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FFBA4B43DA8h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3560BF second address: 3560C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3560C5 second address: 3560CF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBA4B43D9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35650A second address: 35650E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35650E second address: 356516 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3568FD second address: 356903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 356903 second address: 356923 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 356923 second address: 356927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 356927 second address: 35692B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35692B second address: 356931 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2CA207 second address: 2CA21B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FFBA4B43D96h 0x0000000b jnc 00007FFBA4B43D96h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31594D second address: 315963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007FFBA56586D6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FFBA56586D6h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 315963 second address: 3159B2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push esi 0x00000009 mov dword ptr [ebp+122D1BB2h], edx 0x0000000f pop edx 0x00000010 lea eax, dword ptr [ebp+124896CCh] 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007FFBA4B43D98h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 add dword ptr [ebp+122D2A32h], esi 0x00000036 push eax 0x00000037 push eax 0x00000038 push edx 0x00000039 jng 00007FFBA4B43D9Ch 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3159B2 second address: 2FFC5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FFBA56586D6h 0x00000009 jc 00007FFBA56586D6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], eax 0x00000015 mov ch, A2h 0x00000017 call dword ptr [ebp+122D1DEBh] 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 jp 00007FFBA56586D6h 0x00000026 jne 00007FFBA56586D6h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 315B1A second address: 315B31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43DA3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31605F second address: 31608F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 add dword ptr [esp], 0C07AFBBh 0x0000000d sub dword ptr [ebp+122D1C25h], esi 0x00000013 call 00007FFBA56586D9h 0x00000018 push ecx 0x00000019 jns 00007FFBA56586D8h 0x0000001f pushad 0x00000020 popad 0x00000021 pop ecx 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 jng 00007FFBA56586D6h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31608F second address: 316093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 316093 second address: 31609D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31609D second address: 3160A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3160A1 second address: 3160B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3160B1 second address: 3160CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FFBA4B43D96h 0x0000000d jnp 00007FFBA4B43D96h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [eax] 0x00000017 push eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 316190 second address: 31619A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3165C1 second address: 3165E6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FFBA4B43D9Dh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FFBA4B43D9Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35AC67 second address: 35AC6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35AC6B second address: 35AC71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35AFCC second address: 35B001 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FFBA56586D6h 0x0000000b jno 00007FFBA56586D6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFBA56586DDh 0x0000001b jnp 00007FFBA56586E2h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B15E second address: 35B198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43DA3h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jnc 00007FFBA4B43D96h 0x00000011 popad 0x00000012 je 00007FFBA4B43DAAh 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007FFBA4B43DA2h 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B198 second address: 35B19D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B438 second address: 35B43E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B43E second address: 35B444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B444 second address: 35B47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007FFBA4B43D96h 0x0000000c ja 00007FFBA4B43D96h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a pop eax 0x0000001b jl 00007FFBA4B43D96h 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 jmp 00007FFBA4B43DA6h 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B47E second address: 35B494 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBA56586DAh 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FFBA56586D6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35B723 second address: 35B733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FFBA4B43D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35EE95 second address: 35EEB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 jng 00007FFBA56586E9h 0x0000000d jmp 00007FFBA56586DDh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35EEB1 second address: 35EEBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jng 00007FFBA4B43D96h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35EEBE second address: 35EEE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586E7h 0x00000009 popad 0x0000000a jo 00007FFBA56586DEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35EEE2 second address: 35EEEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35EEEE second address: 35EEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 35EEF2 second address: 35EEF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3617FA second address: 3617FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 361994 second address: 3619A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FFBA4B43D96h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 361C47 second address: 361C55 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3643E1 second address: 364459 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jmp 00007FFBA4B43DA7h 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FFBA4B43DA7h 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d jmp 00007FFBA4B43DA9h 0x00000022 popad 0x00000023 jns 00007FFBA4B43D9Ch 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 364459 second address: 36445D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 363F4E second address: 363F75 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFBA4B43DADh 0x00000008 jmp 00007FFBA4B43DA1h 0x0000000d jc 00007FFBA4B43D96h 0x00000013 push eax 0x00000014 push edx 0x00000015 ja 00007FFBA4B43D96h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 363F75 second address: 363F79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 368265 second address: 368277 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FFBA4B43D9Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 368277 second address: 3682BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jp 00007FFBA56586DCh 0x0000000b jnl 00007FFBA56586D6h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007FFBA56586E8h 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f jc 00007FFBA56586D6h 0x00000025 popad 0x00000026 jmp 00007FFBA56586DEh 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3682BE second address: 3682CE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jns 00007FFBA4B43D96h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3682CE second address: 3682D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3682D4 second address: 3682D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2DE40A second address: 2DE424 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFBA56586E4h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2DE424 second address: 2DE429 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 367C54 second address: 367C58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 367C58 second address: 367C73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FFBA4B43D9Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 367C73 second address: 367C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 367C77 second address: 367C9B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFBA4B43D98h 0x00000008 push eax 0x00000009 jmp 00007FFBA4B43DA7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 367F8C second address: 367F91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 36BD02 second address: 36BD0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FFBA4B43D96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 36BD0C second address: 36BD10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 371D19 second address: 371D28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFBA4B43D96h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 371D28 second address: 371D38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586DCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 371D38 second address: 371D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FFBA4B43DA5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 371D56 second address: 371D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FFBA56586D6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 371D65 second address: 371D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3706A5 second address: 3706AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3706AB second address: 3706AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 370C8F second address: 370C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FFBA56586D6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3160E2 second address: 3160E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3160E6 second address: 3160EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 370E36 second address: 370E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 370F95 second address: 370F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 370F9B second address: 370FC4 instructions: 0x00000000 rdtsc 0x00000002 js 00007FFBA4B43D96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jmp 00007FFBA4B43DA9h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 370FC4 second address: 370FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3780B3 second address: 3780C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3780C7 second address: 3780D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DDh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3787A6 second address: 3787B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFBA4B43D96h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3787B1 second address: 3787CB instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFBA56586DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c jg 00007FFBA56586D6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 378D0E second address: 378D17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 378D17 second address: 378D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 378D1D second address: 378D31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43D9Fh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 37908F second address: 379095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 37E04C second address: 37E052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2C86C0 second address: 2C86C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 386948 second address: 386964 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Ch 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007FFBA4B43D96h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 386964 second address: 386968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385A8C second address: 385A9C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385A9C second address: 385AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385C43 second address: 385C61 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBA4B43D96h 0x00000008 jno 00007FFBA4B43D96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 js 00007FFBA4B43D98h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b pop edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385EF9 second address: 385F02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385F02 second address: 385F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43DA4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385F1A second address: 385F26 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 385F26 second address: 385F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38609A second address: 3860A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 386204 second address: 386208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3865FD second address: 386602 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 386602 second address: 386607 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38D5EA second address: 38D5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38D5EF second address: 38D5F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38D5F4 second address: 38D608 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586DCh 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38DC96 second address: 38DC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38F0D2 second address: 38F0D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38F0D6 second address: 38F0DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 38D04B second address: 38D05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 jmp 00007FFBA56586DAh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 395D0C second address: 395D12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 395D12 second address: 395D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FFBA56586D6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 395D22 second address: 395D2C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFBA4B43D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 2DFF52 second address: 2DFF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FFBA56586D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 39568C second address: 3956B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FFBA4B43DA1h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3956B6 second address: 3956D7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFBA56586EBh 0x00000008 jmp 00007FFBA56586E5h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3956D7 second address: 3956DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 39582E second address: 39585A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FFBA56586D8h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 je 00007FFBA56586D6h 0x00000019 push edx 0x0000001a pop edx 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3959A6 second address: 3959CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Ah 0x00000007 jmp 00007FFBA4B43DA4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3959CB second address: 3959D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3A146D second address: 3A149A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFBA4B43DA6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jbe 00007FFBA4B43DA1h 0x00000011 jmp 00007FFBA4B43D9Bh 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3A149A second address: 3A14E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E8h 0x00000007 jmp 00007FFBA56586E4h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnp 00007FFBA56586F9h 0x00000014 jmp 00007FFBA56586E1h 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3A14E4 second address: 3A14EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3A1660 second address: 3A167B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586E6h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3A545F second address: 3A5492 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FFBA4B43D96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FFBA4B43D9Ch 0x00000012 pushad 0x00000013 jo 00007FFBA4B43D96h 0x00000019 jnl 00007FFBA4B43D96h 0x0000001f push edi 0x00000020 pop edi 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 push ecx 0x00000025 jnp 00007FFBA4B43D96h 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3A5492 second address: 3A549C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3B08BF second address: 3B08C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3B08C6 second address: 3B08CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3B5737 second address: 3B573B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BF94A second address: 3BF950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BE6D0 second address: 3BE6DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFBA4B43D96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BE9C8 second address: 3BE9EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA56586E6h 0x00000009 jbe 00007FFBA56586D6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BE9EB second address: 3BEA04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBA4B43DA4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BEA04 second address: 3BEA12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnp 00007FFBA56586D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BEB93 second address: 3BEBA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFBA4B43D96h 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BEBA4 second address: 3BEBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FFBA56586D6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBA56586E5h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BEBC8 second address: 3BEBCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3BEBCC second address: 3BEBD2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C32AE second address: 3C32B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C32B2 second address: 3C32EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jc 00007FFBA56586D6h 0x0000000b jmp 00007FFBA56586DDh 0x00000010 popad 0x00000011 jmp 00007FFBA56586E7h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edx 0x0000001b jg 00007FFBA56586D6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C32EF second address: 3C32F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C2E03 second address: 3C2E07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C2F99 second address: 3C2FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FFBA4B43D9Ah 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C2FA9 second address: 3C2FDC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jng 00007FFBA56586DCh 0x00000015 push eax 0x00000016 push edx 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 jmp 00007FFBA56586E4h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C2FDC second address: 3C2FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C2FE0 second address: 3C2FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C57B5 second address: 3C57E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43DA2h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBA4B43DA6h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C57E6 second address: 3C57EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C57EA second address: 3C57F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C57F0 second address: 3C57F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3C57F6 second address: 3C57FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3D7416 second address: 3D7427 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 ja 00007FFBA56586DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3D8A03 second address: 3D8A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFBA4B43DA2h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3D8A19 second address: 3D8A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3D34F9 second address: 3D34FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3D34FD second address: 3D3503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3D3503 second address: 3D3510 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jg 00007FFBA4B43D96h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3E574E second address: 3E5775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DEh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007FFBA56586E0h 0x00000014 jmp 00007FFBA56586DAh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3E5775 second address: 3E5790 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FFBA4B43D96h 0x00000009 jmp 00007FFBA4B43DA0h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3E84B0 second address: 3E84BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 3E84BE second address: 3E84C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40C957 second address: 40C967 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFBA56586D6h 0x00000008 jnl 00007FFBA56586D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40C967 second address: 40C985 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Dh 0x00000007 pushad 0x00000008 jne 00007FFBA4B43D96h 0x0000000e js 00007FFBA4B43D96h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40C985 second address: 40C99C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a jng 00007FFBA56586D6h 0x00000010 jne 00007FFBA56586D6h 0x00000016 pop ecx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40C99C second address: 40C9A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FFBA4B43D96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40CC50 second address: 40CC65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DFh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40CC65 second address: 40CC6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40CFA9 second address: 40CFB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40CFB4 second address: 40CFBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FFBA4B43D96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40D169 second address: 40D175 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FFBA56586D6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40D175 second address: 40D17A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 40D2FC second address: 40D302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 411B63 second address: 411B80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFBA4B43D9Bh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 411F46 second address: 411F4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 41372D second address: 413739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FFBA4B43D96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 413739 second address: 41373D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B9003C second address: 4B90060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBA4B43D9Ch 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B90060 second address: 4B90099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 5A64h 0x00000007 mov edx, 0D8CB8D0h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 movsx edi, si 0x00000014 mov cl, DBh 0x00000016 popad 0x00000017 mov ebp, esp 0x00000019 jmp 00007FFBA56586E9h 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B90099 second address: 4B9009D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B9009D second address: 4B900A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B900A1 second address: 4B900A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B900A7 second address: 4B900AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00606 second address: 4C0060C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C0060C second address: 4C00610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80CB5 second address: 4B80CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43D9Eh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80CC7 second address: 4B80CE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FFBA56586DFh 0x00000013 popad 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80CE5 second address: 4B80D26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FFBA4B43D9Ch 0x00000013 and cl, 00000038h 0x00000016 jmp 00007FFBA4B43D9Bh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e mov al, 1Fh 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80D26 second address: 4B80D3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFBA56586DAh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80D3B second address: 4B80D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80D41 second address: 4B80D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80D45 second address: 4B80D78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+04h] 0x0000000e pushad 0x0000000f movzx ecx, di 0x00000012 mov ebx, 340EBF0Ch 0x00000017 popad 0x00000018 push dword ptr [ebp+0Ch] 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FFBA4B43D9Eh 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80DC0 second address: 4B80DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B80DC6 second address: 4B80DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C003A2 second address: 4C003BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C003BF second address: 4C003DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0BE4 second address: 4BD0BFE instructions: 0x00000000 rdtsc 0x00000002 mov cx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFBA56586DFh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0BFE second address: 4BD0C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0C22 second address: 4BD0C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0C26 second address: 4BD0C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0C2C second address: 4BD0C87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c movsx ebx, si 0x0000000f pop ecx 0x00000010 pushfd 0x00000011 jmp 00007FFBA56586E5h 0x00000016 sbb esi, 7D3783C6h 0x0000001c jmp 00007FFBA56586E1h 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov si, di 0x0000002b mov ax, di 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C202FB second address: 4C20301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C20301 second address: 4C20379 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FFBA56586DCh 0x00000008 pop esi 0x00000009 mov ch, dh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 jmp 00007FFBA56586E6h 0x00000016 mov ax, D1F1h 0x0000001a popad 0x0000001b mov dh, ch 0x0000001d popad 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 call 00007FFBA56586E5h 0x00000027 pop esi 0x00000028 pushfd 0x00000029 jmp 00007FFBA56586E1h 0x0000002e and ah, FFFFFFE6h 0x00000031 jmp 00007FFBA56586E1h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C20379 second address: 4C20389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43D9Ch 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C20389 second address: 4C2038D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C2038D second address: 4C203CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FFBA4B43D9Dh 0x00000010 xor ecx, 1306F5F6h 0x00000016 jmp 00007FFBA4B43DA1h 0x0000001b popfd 0x0000001c mov bh, ah 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov edi, ecx 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C203CA second address: 4C20402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 19h 0x00000005 jmp 00007FFBA56586E6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBA56586E7h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00DB1 second address: 4C00DB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00DB5 second address: 4C00DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00DBB second address: 4C00DC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00DC1 second address: 4C00DFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFBA56586E5h 0x00000012 or al, FFFFFFC6h 0x00000015 jmp 00007FFBA56586E1h 0x0000001a popfd 0x0000001b mov ebx, ecx 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00DFB second address: 4C00E9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FFBA4B43DA7h 0x00000011 xor eax, 0E85C5AEh 0x00000017 jmp 00007FFBA4B43DA9h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007FFBA4B43DA0h 0x00000023 adc esi, 67B00728h 0x00000029 jmp 00007FFBA4B43D9Bh 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007FFBA4B43DA6h 0x00000036 mov ebp, esp 0x00000038 jmp 00007FFBA4B43DA0h 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 popad 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00E9A second address: 4C00EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00EA0 second address: 4C00EA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B90751 second address: 4B90757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B90757 second address: 4B9075D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B9075D second address: 4B9078D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FFBA56586E2h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 call 00007FFBA56586DCh 0x00000017 pop esi 0x00000018 movsx ebx, ax 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B9078D second address: 4B907F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FFBA4B43D9Ch 0x00000011 adc al, FFFFFF88h 0x00000014 jmp 00007FFBA4B43D9Bh 0x00000019 popfd 0x0000001a jmp 00007FFBA4B43DA8h 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 jmp 00007FFBA4B43DA0h 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FFBA4B43D9Ah 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B907F6 second address: 4B90805 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C004A0 second address: 4C004A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00B4C second address: 4C00B52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00B52 second address: 4C00B86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFBA4B43DA7h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00B86 second address: 4C00BB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ah, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007FFBA56586E9h 0x00000014 movzx eax, bx 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00BB2 second address: 4C00C22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 9C3Fh 0x00000007 pushfd 0x00000008 jmp 00007FFBA4B43DA4h 0x0000000d and ecx, 32EA6128h 0x00000013 jmp 00007FFBA4B43D9Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FFBA4B43D9Bh 0x00000028 jmp 00007FFBA4B43DA3h 0x0000002d popfd 0x0000002e jmp 00007FFBA4B43DA8h 0x00000033 popad 0x00000034 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00C22 second address: 4C00C67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBA56586E1h 0x00000008 mov si, D5D7h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f and dword ptr [eax], 00000000h 0x00000012 jmp 00007FFBA56586DAh 0x00000017 and dword ptr [eax+04h], 00000000h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FFBA56586E7h 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0B1C second address: 4BD0B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 7741E6FAh 0x00000008 pushfd 0x00000009 jmp 00007FFBA4B43D9Bh 0x0000000e sub cl, FFFFFF9Eh 0x00000011 jmp 00007FFBA4B43DA9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007FFBA4B43DA1h 0x00000020 xchg eax, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 mov cx, bx 0x00000027 mov dl, 1Dh 0x00000029 popad 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BB07F5 second address: 4BB0804 instructions: 0x00000000 rdtsc 0x00000002 movsx edx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BB0804 second address: 4BB0808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BB0808 second address: 4BB080E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10C32 second address: 4C10C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10C38 second address: 4C10C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10C3C second address: 4C10D4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FFBA4B43DA6h 0x00000011 push eax 0x00000012 jmp 00007FFBA4B43D9Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007FFBA4B43DA6h 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 call 00007FFBA4B43D9Eh 0x00000025 jmp 00007FFBA4B43DA2h 0x0000002a pop ecx 0x0000002b call 00007FFBA4B43D9Bh 0x00000030 movzx eax, di 0x00000033 pop edi 0x00000034 popad 0x00000035 xchg eax, ecx 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007FFBA4B43D9Eh 0x0000003d add ch, 00000038h 0x00000040 jmp 00007FFBA4B43D9Bh 0x00000045 popfd 0x00000046 jmp 00007FFBA4B43DA8h 0x0000004b popad 0x0000004c push eax 0x0000004d jmp 00007FFBA4B43D9Bh 0x00000052 xchg eax, ecx 0x00000053 jmp 00007FFBA4B43DA6h 0x00000058 mov eax, dword ptr [76FA65FCh] 0x0000005d jmp 00007FFBA4B43DA0h 0x00000062 test eax, eax 0x00000064 jmp 00007FFBA4B43DA0h 0x00000069 je 00007FFC16E569BEh 0x0000006f push eax 0x00000070 push edx 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10D4A second address: 4C10D4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10D4E second address: 4C10D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10262 second address: 4C1028B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA56586E4h 0x00000009 or al, 00000028h 0x0000000c jmp 00007FFBA56586DBh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1028B second address: 4C102A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFBA4B43D9Eh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C102A5 second address: 4C102B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C102B4 second address: 4C102E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBA4B43D9Dh 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C102E2 second address: 4C102F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA56586DCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C102F2 second address: 4C1034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b jmp 00007FFBA4B43DA7h 0x00000010 and dword ptr [eax], 00000000h 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FFBA4B43DA4h 0x0000001a xor cx, 8CD8h 0x0000001f jmp 00007FFBA4B43D9Bh 0x00000024 popfd 0x00000025 pushad 0x00000026 mov ebx, esi 0x00000028 popad 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e movzx esi, dx 0x00000031 push edx 0x00000032 pop ecx 0x00000033 popad 0x00000034 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1034D second address: 4C10353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10353 second address: 4C10357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0068 second address: 4BD0079 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0079 second address: 4BD007D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD007D second address: 4BD008C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD008C second address: 4BD00D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FFBA4B43D9Eh 0x00000010 and esp, FFFFFFF8h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFBA4B43DA7h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD00D5 second address: 4BD00DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD00DB second address: 4BD00DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD00DF second address: 4BD00FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FFBA56586E3h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD00FD second address: 4BD018E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 4370E17Ah 0x00000008 pushfd 0x00000009 jmp 00007FFBA4B43D9Bh 0x0000000e adc si, CD1Eh 0x00000013 jmp 00007FFBA4B43DA9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], ecx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FFBA4B43DA3h 0x00000028 and ah, 0000002Eh 0x0000002b jmp 00007FFBA4B43DA9h 0x00000030 popfd 0x00000031 pushfd 0x00000032 jmp 00007FFBA4B43DA0h 0x00000037 sub eax, 2788ACA8h 0x0000003d jmp 00007FFBA4B43D9Bh 0x00000042 popfd 0x00000043 popad 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD018E second address: 4BD0194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0194 second address: 4BD0198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0198 second address: 4BD01DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007FFBA56586E8h 0x00000010 pop esi 0x00000011 mov dx, 4776h 0x00000015 popad 0x00000016 movsx edi, si 0x00000019 popad 0x0000001a mov dword ptr [esp], ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FFBA56586E5h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD01DF second address: 4BD0257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA4B43DA7h 0x00000009 sbb ch, 0000005Eh 0x0000000c jmp 00007FFBA4B43DA9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FFBA4B43DA0h 0x00000018 or esi, 7431D958h 0x0000001e jmp 00007FFBA4B43D9Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 mov ebx, dword ptr [ebp+10h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FFBA4B43DA5h 0x00000031 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0257 second address: 4BD0314 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA56586E7h 0x00000009 or ah, 0000007Eh 0x0000000c jmp 00007FFBA56586E9h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FFBA56586E0h 0x00000018 or esi, 26B10878h 0x0000001e jmp 00007FFBA56586DBh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, esi 0x00000028 jmp 00007FFBA56586E6h 0x0000002d push eax 0x0000002e pushad 0x0000002f pushad 0x00000030 mov bl, 68h 0x00000032 mov di, si 0x00000035 popad 0x00000036 mov ebx, ecx 0x00000038 popad 0x00000039 xchg eax, esi 0x0000003a jmp 00007FFBA56586DEh 0x0000003f mov esi, dword ptr [ebp+08h] 0x00000042 jmp 00007FFBA56586E0h 0x00000047 xchg eax, edi 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FFBA56586E7h 0x0000004f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD0314 second address: 4BD03AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA4B43D9Fh 0x00000009 sub esi, 1F45685Eh 0x0000000f jmp 00007FFBA4B43DA9h 0x00000014 popfd 0x00000015 mov di, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d call 00007FFBA4B43DA3h 0x00000022 mov ebx, esi 0x00000024 pop ecx 0x00000025 pushfd 0x00000026 jmp 00007FFBA4B43DA5h 0x0000002b and si, F7F6h 0x00000030 jmp 00007FFBA4B43DA1h 0x00000035 popfd 0x00000036 popad 0x00000037 xchg eax, edi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b call 00007FFBA4B43DA6h 0x00000040 pop esi 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD03AE second address: 4BD03DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test esi, esi 0x00000009 pushad 0x0000000a push eax 0x0000000b movsx ebx, ax 0x0000000e pop ecx 0x0000000f popad 0x00000010 je 00007FFC179A692Dh 0x00000016 jmp 00007FFBA56586DDh 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD03DE second address: 4BD03E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BD03E2 second address: 4BD03F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE002E second address: 4BE0071 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FFBA4B43D9Fh 0x00000008 or si, 6FEEh 0x0000000d jmp 00007FFBA4B43DA9h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFBA4B43D9Ch 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE0071 second address: 4BE00C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA56586E1h 0x00000009 and cx, A6D6h 0x0000000e jmp 00007FFBA56586E1h 0x00000013 popfd 0x00000014 mov cx, 5A47h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 call 00007FFBA56586E5h 0x00000026 pop eax 0x00000027 popad 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE00C1 second address: 4BE00D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43D9Dh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE00D2 second address: 4BE0103 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007FFBA56586DFh 0x00000010 mov edi, eax 0x00000012 pop esi 0x00000013 popad 0x00000014 and esp, FFFFFFF8h 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FFBA56586DEh 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE0103 second address: 4BE019E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 movsx edx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d pushad 0x0000000e mov dx, ax 0x00000011 pushfd 0x00000012 jmp 00007FFBA4B43D9Ch 0x00000017 sbb ax, FB48h 0x0000001c jmp 00007FFBA4B43D9Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pushfd 0x00000024 jmp 00007FFBA4B43DA8h 0x00000029 add si, BDA8h 0x0000002e jmp 00007FFBA4B43D9Bh 0x00000033 popfd 0x00000034 popad 0x00000035 push eax 0x00000036 jmp 00007FFBA4B43DA9h 0x0000003b xchg eax, ebx 0x0000003c pushad 0x0000003d movzx ecx, bx 0x00000040 jmp 00007FFBA4B43DA9h 0x00000045 popad 0x00000046 xchg eax, esi 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE019E second address: 4BE01A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE01A2 second address: 4BE01A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE01A8 second address: 4BE021A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, dx 0x0000000e call 00007FFBA56586DDh 0x00000013 call 00007FFBA56586E0h 0x00000018 pop esi 0x00000019 pop edx 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FFBA56586E3h 0x00000025 sub al, 0000006Eh 0x00000028 jmp 00007FFBA56586E9h 0x0000002d popfd 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE021A second address: 4BE021F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE021F second address: 4BE022D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA56586DAh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE022D second address: 4BE0265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f mov ax, 02FBh 0x00000013 mov cx, D3D7h 0x00000017 popad 0x00000018 sub ebx, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FFBA4B43DA6h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE0265 second address: 4BE029F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b pushad 0x0000000c mov bx, cx 0x0000000f mov si, CEA7h 0x00000013 popad 0x00000014 je 00007FFC1798E7E5h 0x0000001a jmp 00007FFBA56586DAh 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 push edx 0x0000002a pop eax 0x0000002b mov si, bx 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE029F second address: 4BE0327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c call 00007FFBA4B43D9Eh 0x00000011 pushfd 0x00000012 jmp 00007FFBA4B43DA2h 0x00000017 add eax, 47E8B898h 0x0000001d jmp 00007FFBA4B43D9Bh 0x00000022 popfd 0x00000023 pop esi 0x00000024 jmp 00007FFBA4B43DA9h 0x00000029 popad 0x0000002a je 00007FFC16E79E33h 0x00000030 jmp 00007FFBA4B43D9Eh 0x00000035 test byte ptr [76FA6968h], 00000002h 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 popad 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE0327 second address: 4BE0344 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE0344 second address: 4BE03D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFBA4B43DA7h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FFC16E79DEBh 0x00000011 jmp 00007FFBA4B43DA5h 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FFBA4B43D9Ch 0x00000020 adc eax, 2497A148h 0x00000026 jmp 00007FFBA4B43D9Bh 0x0000002b popfd 0x0000002c popad 0x0000002d xchg eax, ebx 0x0000002e jmp 00007FFBA4B43DA2h 0x00000033 push eax 0x00000034 jmp 00007FFBA4B43D9Bh 0x00000039 xchg eax, ebx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FFBA4B43DA5h 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE03D7 second address: 4BE047B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 jmp 00007FFBA56586E3h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov eax, 60C31F8Bh 0x00000015 pushfd 0x00000016 jmp 00007FFBA56586E0h 0x0000001b sub ecx, 12494B98h 0x00000021 jmp 00007FFBA56586DBh 0x00000026 popfd 0x00000027 popad 0x00000028 push eax 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007FFBA56586DFh 0x00000030 add ecx, 691E6C5Eh 0x00000036 jmp 00007FFBA56586E9h 0x0000003b popfd 0x0000003c pushfd 0x0000003d jmp 00007FFBA56586E0h 0x00000042 add ecx, 4B805058h 0x00000048 jmp 00007FFBA56586DBh 0x0000004d popfd 0x0000004e popad 0x0000004f xchg eax, ebx 0x00000050 push eax 0x00000051 push edx 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE047B second address: 4BE0496 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE0496 second address: 4BE049C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE049C second address: 4BE04A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04A0 second address: 4BE04A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04A4 second address: 4BE04CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FFBA4B43DA9h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04CC second address: 4BE04D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04D2 second address: 4BE04E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, 4Dh 0x00000005 mov bx, FDEAh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push dword ptr [ebp+10h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04E7 second address: 4BE04EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04EB second address: 4BE04F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04F1 second address: 4BE04F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4BE04F7 second address: 4BE04FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C418A3 second address: 4C418FA instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push esp 0x00000009 jmp 00007FFBA56586E4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 pushfd 0x00000017 jmp 00007FFBA56586E3h 0x0000001c adc al, FFFFFFBEh 0x0000001f jmp 00007FFBA56586E9h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C418FA second address: 4C4195E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFBA4B43DA2h 0x00000012 sub eax, 7EACABE8h 0x00000018 jmp 00007FFBA4B43D9Bh 0x0000001d popfd 0x0000001e mov eax, 01A277DFh 0x00000023 popad 0x00000024 push 0000007Fh 0x00000026 pushad 0x00000027 mov ecx, 55FD83D7h 0x0000002c popad 0x0000002d push 00000001h 0x0000002f jmp 00007FFBA4B43DA9h 0x00000034 push dword ptr [ebp+08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C4195E second address: 4C41962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C41962 second address: 4C41968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C41991 second address: 4C41997 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C41997 second address: 4C418A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ah, FCh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FFBA4B43D9Bh 0x00000012 sub si, 434Eh 0x00000017 jmp 00007FFBA4B43DA9h 0x0000001c popfd 0x0000001d pushad 0x0000001e push eax 0x0000001f pop ebx 0x00000020 mov eax, 3B722529h 0x00000025 popad 0x00000026 popad 0x00000027 retn 0004h 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d push eax 0x0000002e call ebx 0x00000030 mov edi, edi 0x00000032 pushad 0x00000033 pushfd 0x00000034 jmp 00007FFBA4B43D9Ch 0x00000039 jmp 00007FFBA4B43DA5h 0x0000003e popfd 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31B320 second address: 31B337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FFBA56586DCh 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 31B526 second address: 31B52A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C00788 second address: 4C0078C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C0078C second address: 4C00792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C60140 second address: 4C60146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C60146 second address: 4C60158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 5ECEh 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C60158 second address: 4C6015C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C6015C second address: 4C60160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C60160 second address: 4C60166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C60166 second address: 4C601DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA4B43D9Fh 0x00000009 jmp 00007FFBA4B43DA3h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FFBA4B43DA8h 0x00000015 adc cx, 29A8h 0x0000001a jmp 00007FFBA4B43D9Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 push dword ptr [ebp+0Ch] 0x00000026 jmp 00007FFBA4B43DA6h 0x0000002b push dword ptr [ebp+08h] 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov cx, F27Fh 0x00000035 popad 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C106D4 second address: 4C106D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C106D8 second address: 4C106F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C106F4 second address: 4C10706 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA56586DEh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10706 second address: 4C1070A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1070A second address: 4C10771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FFBA56586E7h 0x0000000e mov ebp, esp 0x00000010 jmp 00007FFBA56586E6h 0x00000015 and esp, FFFFFFF0h 0x00000018 jmp 00007FFBA56586E0h 0x0000001d sub esp, 44h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FFBA56586E7h 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10771 second address: 4C10797 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov esi, 7C695AA9h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10797 second address: 4C107C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 mov edi, 1D0E2F06h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push eax 0x0000000f jmp 00007FFBA56586DDh 0x00000014 xchg eax, ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FFBA56586DDh 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C107C3 second address: 4C107EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edi 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b jmp 00007FFBA4B43DA2h 0x00000010 mov dword ptr [esp], esi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C107EB second address: 4C10831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FFBA56586DEh 0x00000011 add ch, FFFFFF98h 0x00000014 jmp 00007FFBA56586DBh 0x00000019 popfd 0x0000001a mov di, ax 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10831 second address: 4C10835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10835 second address: 4C10864 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FFBA56586E5h 0x0000000d mov edi, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFBA56586DDh 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10864 second address: 4C1087D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 mov ax, EB0Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+24h], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1087D second address: 4C10883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10883 second address: 4C10888 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10888 second address: 4C108AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lock bts dword ptr [edi], 00000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C108AF second address: 4C108B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C108B3 second address: 4C108B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C108B7 second address: 4C108BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C108BD second address: 4C10918 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jc 00007FFC1790A234h 0x0000000f jmp 00007FFBA56586E0h 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FFBA56586DDh 0x0000001e sub eax, 3CF43366h 0x00000024 jmp 00007FFBA56586E1h 0x00000029 popfd 0x0000002a push eax 0x0000002b pop edi 0x0000002c popad 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10918 second address: 4C10934 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43DA8h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10934 second address: 4C1096C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushfd 0x0000000f jmp 00007FFBA56586E6h 0x00000014 add ecx, 110FB098h 0x0000001a jmp 00007FFBA56586DBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1096C second address: 4C1099E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a jmp 00007FFBA4B43D9Eh 0x0000000f mov esp, ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10393 second address: 4C10399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10399 second address: 4C103C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, al 0x00000005 movsx edx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FFBA4B43DA7h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C103C0 second address: 4C103C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C103C6 second address: 4C103CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C103CA second address: 4C10413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FFBA56586E7h 0x0000000f xchg eax, ebx 0x00000010 jmp 00007FFBA56586E6h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FFBA56586DEh 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10413 second address: 4C1042F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov edx, 2B8104B6h 0x00000012 mov si, dx 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1042F second address: 4C10496 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA56586E6h 0x00000009 or esi, 15801FD8h 0x0000000f jmp 00007FFBA56586DBh 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, esi 0x0000001b jmp 00007FFBA56586E4h 0x00000020 push eax 0x00000021 jmp 00007FFBA56586DBh 0x00000026 xchg eax, esi 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FFBA56586E0h 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10496 second address: 4C1049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1049A second address: 4C104A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C104A0 second address: 4C104A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C104A6 second address: 4C104BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFBA56586DBh 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C104BE second address: 4C10524 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ecx, ecx 0x0000000b jmp 00007FFBA4B43DA7h 0x00000010 xchg eax, edi 0x00000011 jmp 00007FFBA4B43DA6h 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 pop edi 0x0000001a popad 0x0000001b xchg eax, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FFBA4B43DA1h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10524 second address: 4C1052A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1052A second address: 4C1052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1052E second address: 4C10545 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov cx, ABC7h 0x00000014 mov cl, 3Dh 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10545 second address: 4C1055E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA4B43DA5h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1055E second address: 4C1062C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA56586E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lock cmpxchg dword ptr [esi], ecx 0x0000000f pushad 0x00000010 push ecx 0x00000011 pushfd 0x00000012 jmp 00007FFBA56586DFh 0x00000017 add esi, 74EDFD9Eh 0x0000001d jmp 00007FFBA56586E9h 0x00000022 popfd 0x00000023 pop eax 0x00000024 popad 0x00000025 mov ecx, eax 0x00000027 jmp 00007FFBA56586E7h 0x0000002c cmp ecx, 01h 0x0000002f jmp 00007FFBA56586E6h 0x00000034 jne 00007FFC1790A6C5h 0x0000003a jmp 00007FFBA56586E0h 0x0000003f pop edi 0x00000040 pushad 0x00000041 pushfd 0x00000042 jmp 00007FFBA56586DEh 0x00000047 and si, FC58h 0x0000004c jmp 00007FFBA56586DBh 0x00000051 popfd 0x00000052 movzx ecx, dx 0x00000055 popad 0x00000056 pop esi 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007FFBA56586DEh 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1062C second address: 4C10666 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FFBA4B43DA1h 0x00000009 adc ax, 5AA6h 0x0000000e jmp 00007FFBA4B43DA1h 0x00000013 popfd 0x00000014 mov ax, 4DD7h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10666 second address: 4C1066A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C1066A second address: 4C10670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4C10670 second address: 4C10681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFBA56586DDh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B70834 second address: 4B70858 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFBA4B43DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B70858 second address: 4B7085C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeRDTSC instruction interceptor: First address: 4B7085C second address: 4B70862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSpecial instruction interceptor: First address: 15FAE8 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSpecial instruction interceptor: First address: 15D362 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSpecial instruction interceptor: First address: 315AA2 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSpecial instruction interceptor: First address: 39AD00 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 30FAE8 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 30D362 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 4C5AA2 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 54AD00 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 26FAE8 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 26D362 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 425AA2 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 4AAD00 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_04C50833 rdtsc 0_2_04C50833
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow / User API: threadDelayed 1870Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeWindow / User API: threadDelayed 1674Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1145Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1124Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 726Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1161Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1087Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 728Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1107Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1080Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1045Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1147Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1150Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 3208Thread sleep time: -40020s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 1788Thread sleep count: 1870 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 1788Thread sleep time: -3741870s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 6976Thread sleep count: 81 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 6976Thread sleep count: 241 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 6184Thread sleep count: 241 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 6188Thread sleep count: 1674 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exe TID: 6188Thread sleep time: -3349674s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3184Thread sleep count: 94 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3184Thread sleep time: -188094s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3192Thread sleep count: 119 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3192Thread sleep time: -238119s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164Thread sleep count: 86 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164Thread sleep count: 1145 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164Thread sleep time: -115645s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236Thread sleep count: 1124 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236Thread sleep count: 726 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236Thread sleep time: -72600s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3172Thread sleep count: 86 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3172Thread sleep time: -172086s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6204Thread sleep count: 118 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6204Thread sleep time: -236118s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4448Thread sleep count: 125 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4448Thread sleep time: -250125s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3748Thread sleep count: 124 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3748Thread sleep time: -248124s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320Thread sleep count: 88 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320Thread sleep count: 1161 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 320Thread sleep time: -117261s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232Thread sleep count: 1087 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232Thread sleep count: 728 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232Thread sleep time: -72800s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780Thread sleep count: 87 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6780Thread sleep time: -174087s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 760Thread sleep count: 130 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 760Thread sleep time: -260130s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4268Thread sleep count: 124 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4268Thread sleep time: -248124s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7300Thread sleep time: -42021s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7280Thread sleep count: 1107 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7280Thread sleep time: -2215107s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7276Thread sleep count: 1080 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7276Thread sleep time: -2161080s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7256Thread sleep count: 249 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7376Thread sleep count: 246 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7292Thread sleep count: 1045 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7292Thread sleep time: -2091045s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7612Thread sleep time: -56028s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7592Thread sleep count: 1147 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7592Thread sleep time: -2295147s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7572Thread sleep count: 282 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7700Thread sleep count: 250 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7584Thread sleep count: 1150 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7584Thread sleep time: -2301150s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: RageMP131.exe, 0000000A.00000002.4499262309.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: MPGPH131.exe, 00000007.00000002.4499103991.0000000000C25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}DPRm
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4499442748.0000000000E7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}g
            Source: MPGPH131.exe, 00000006.00000002.4499466734.00000000015F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&T
            Source: RageMP131.exe, 0000000A.00000002.4499262309.00000000011E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_57359524
            Source: MPGPH131.exe, 00000007.00000002.4499103991.0000000000C11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 00000008.00000002.4498783291.0000000000B73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 0000000A.00000002.4498642794.0000000000EFD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.4499103991.0000000000BEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a
            Source: MPGPH131.exe, 00000006.00000002.4499466734.00000000015BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.e
            Source: RageMP131.exe, 0000000A.00000002.4499262309.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^
            Source: MPGPH131.exe, 00000006.00000002.4498818545.000000000133D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}[
            Source: MPGPH131.exe, 00000007.00000002.4499103991.0000000000C1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_57359524
            Source: MPGPH131.exe, 00000007.00000002.4499103991.0000000000C11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
            Source: RageMP131.exe, 0000000A.00000003.2270670697.00000000011E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.4499103991.0000000000C11000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&fQRNhy
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: MPGPH131.exe, 00000006.00000003.2125439054.0000000001604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}v
            Source: RageMP131.exe, 0000000A.00000002.4499262309.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}N
            Source: LisectAVT_2403002A_163.exe, 00000000.00000002.4499442748.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4498783291.0000000000B73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4499262309.00000000011AB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: MPGPH131.exe, 00000006.00000002.4499466734.00000000015F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllzz
            Source: MPGPH131.exe, 00000006.00000003.2125439054.0000000001604000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Potentially malicious time measurement code found
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_04D40545 Start: 04D40530 End: 04D4051B7_2_04D40545
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_04D40207 Start: 04D40235 End: 04D4023F7_2_04D40207
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_04C80699 Start: 04C80749 End: 04C806FD8_2_04C80699
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: NTICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_04C50833 rdtsc 0_2_04C50833
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_00083A40 mov eax, dword ptr fs:[00000030h]0_2_00083A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_00083A40 mov eax, dword ptr fs:[00000030h]0_2_00083A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_00034100 mov eax, dword ptr fs:[00000030h]0_2_00034100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00233A40 mov eax, dword ptr fs:[00000030h]6_2_00233A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00233A40 mov eax, dword ptr fs:[00000030h]6_2_00233A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_001E4100 mov eax, dword ptr fs:[00000030h]6_2_001E4100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00233A40 mov eax, dword ptr fs:[00000030h]7_2_00233A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00233A40 mov eax, dword ptr fs:[00000030h]7_2_00233A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_001E4100 mov eax, dword ptr fs:[00000030h]7_2_001E4100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00193A40 mov eax, dword ptr fs:[00000030h]8_2_00193A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00193A40 mov eax, dword ptr fs:[00000030h]8_2_00193A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00144100 mov eax, dword ptr fs:[00000030h]8_2_00144100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00193A40 mov eax, dword ptr fs:[00000030h]10_2_00193A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00193A40 mov eax, dword ptr fs:[00000030h]10_2_00193A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00144100 mov eax, dword ptr fs:[00000030h]10_2_00144100
            Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: :Program Manager
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeCode function: 0_2_000FF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_000FF26A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_163.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_163.exe PID: 3140, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5044, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5012, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7252, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7568, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_163.exe PID: 3140, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5044, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5012, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7252, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7568, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		2
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		24
            Virtualization/Sandbox Evasion            		LSASS Memory641
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		2
            Process Injection            		Security Account Manager24
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain Credentials214
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482474 Sample: LisectAVT_2403002A_163.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_163.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Hides threads from debuggers 14->60 62 Potentially malicious time measurement code found 14->62 64 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->64 66 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->66 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_163.exe100%AviraTR/Crypt.TPM.Gen
            LisectAVT_2403002A_163.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%AviraTR/Crypt.TPM.Gen
            C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraTR/Crypt.TPM.Gen
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllLisectAVT_2403002A_163.exe, 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_163.exe, 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllLisectAVT_2403002A_163.exe, 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_163.exe, 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://t.me/RiseProSUPPORTLisectAVT_2403002A_163.exe, 00000000.00000002.4499442748.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4499466734.00000000015BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4499103991.0000000000BEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4498783291.0000000000B3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4499262309.00000000011AB000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.233.132.74
            		unknownRussian Federation
            		2895FREE-NET-ASFREEnetEUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482474
            Start date and time:2024-07-25 23:23:31 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 11m 25s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:LisectAVT_2403002A_163.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: LisectAVT_2403002A_163.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:24:50API Interceptor3225003x Sleep call for process: LisectAVT_2403002A_163.exe modified
            17:24:56API Interceptor5485x Sleep call for process: MPGPH131.exe modified
            17:25:04API Interceptor4828450x Sleep call for process: RageMP131.exe modified
            23:24:25Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
            23:24:25Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
            23:24:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            23:24:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            193.233.132.74LisectAVT_2403002A_185.exeGet hashmaliciousRisePro StealerBrowse
              LisectAVT_2403002A_218.exeGet hashmaliciousRisePro StealerBrowse
                LisectAVT_2403002A_228.exeGet hashmaliciousRisePro StealerBrowse
                  LisectAVT_2403002A_376.exeGet hashmaliciousRisePro StealerBrowse
                    LisectAVT_2403002B_242.exeGet hashmaliciousRisePro StealerBrowse
                      LisectAVT_2403002A_224.exeGet hashmaliciousRisePro StealerBrowse
                        80OrFCsz0u.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                          SecuriteInfo.com.Win64.Evo-gen.28136.30716.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                            file.exeGet hashmaliciousRisePro StealerBrowse
                              vGDqFBB1Jz.exeGet hashmaliciousRisePro StealerBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                FREE-NET-ASFREEnetEULisectAVT_2403002A_185.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002A_191.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.62
                                LisectAVT_2403002A_218.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002A_228.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002A_30.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_33.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_376.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002A_389.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.67
                                LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.67

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_163.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2345480
                                Entropy (8bit):7.96694468702243
                                Encrypted:false
                                SSDEEP:49152:UggqhA+wMc8HC0LjwBEBNctGy5iKxAGgWwTMn0CVWDWpj:tgwNXiuwBJ5ZxAGgWwq0Fqp
                                MD5:A472AFB64B5C6F61AC63639FBD778001
                                SHA1:DEF8AFCE906AA4094C8A564AE9B9C886955C16B3
                                SHA-256:9582E561631B18BAD3EF23B24A57636EF1D48B05535962DC0B19AB27E9351276
                                SHA-512:B7247C1F896565F25B0BC51619233EEEA52DCFEA594A7ACA618F1FE1EE81FFBE07F301A6E20BA4395931A05FC9E5382059A4EFBB2D125F43C71A45C8D4A328EF
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L....b.e...............".....0........Z...........@...........................Z.....[/$...@.........................XeZ.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... .0,..........$..............@...jgtpuhbl......?......&..............@...ikxokzqh......Z.......#.............@...........................................................................................................................................................................................................................

                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_163.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_163.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2345480
                                Entropy (8bit):7.96694468702243
                                Encrypted:false
                                SSDEEP:49152:UggqhA+wMc8HC0LjwBEBNctGy5iKxAGgWwTMn0CVWDWpj:tgwNXiuwBJ5ZxAGgWwq0Fqp
                                MD5:A472AFB64B5C6F61AC63639FBD778001
                                SHA1:DEF8AFCE906AA4094C8A564AE9B9C886955C16B3
                                SHA-256:9582E561631B18BAD3EF23B24A57636EF1D48B05535962DC0B19AB27E9351276
                                SHA-512:B7247C1F896565F25B0BC51619233EEEA52DCFEA594A7ACA618F1FE1EE81FFBE07F301A6E20BA4395931A05FC9E5382059A4EFBB2D125F43C71A45C8D4A328EF
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L....b.e...............".....0........Z...........@...........................Z.....[/$...@.........................XeZ.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... .0,..........$..............@...jgtpuhbl......?......&..............@...ikxokzqh......Z.......#.............@...........................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_163.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_163.exe
                                File Type:ASCII text, with no line terminators
                                Category:modified
                                Size (bytes):13
                                Entropy (8bit):2.6612262562697895
                                Encrypted:false
                                SSDEEP:3:LETUd:GE
                                MD5:CCF0035598D762198DCDA75F7E009B2E
                                SHA1:D0E7B17A5C927A1EE5C98D381F00DC6281789B3B
                                SHA-256:235ABA94D759DF94FE8C966BC86B4191CF49BBFB5F8FA1B0E1E0770BB7AF25C8
                                SHA-512:DE0A70C550131593CCBAA36C0383C82E3A2B695174F54560972BAF76B6EBC0626DADC7F2B1059820ED410136BCE46496C471406D05D4C6715305A0011EBC0ADA
                                Malicious:false
                                Preview:1721949373918

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.96694468702243
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:LisectAVT_2403002A_163.exe
                                File size:2'345'480 bytes
                                MD5:a472afb64b5c6f61ac63639fbd778001
                                SHA1:def8afce906aa4094c8a564ae9b9c886955c16b3
                                SHA256:9582e561631b18bad3ef23b24a57636ef1d48b05535962dc0b19ab27e9351276
                                SHA512:b7247c1f896565f25b0bc51619233eeea52dcfea594a7aca618f1fe1ee81ffbe07f301a6e20ba4395931a05fc9e5382059a4efbb2d125f43c71a45c8d4a328ef
                                SSDEEP:49152:UggqhA+wMc8HC0LjwBEBNctGy5iKxAGgWwTMn0CVWDWpj:tgwNXiuwBJ5ZxAGgWwq0Fqp
                                TLSH:1CB533A29E25A777DE524BF000E1C85F3DC0F9A494217F1C07E87C63FA7ABB19A85580
                                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

                                File Icon

                                Icon Hash:c769eccc64f6e2bb

                                Static PE Info

                                General

                                Entrypoint:0x9a9000
                                Entrypoint Section:ikxokzqh
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x65FD62AE [Fri Mar 22 10:51:26 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                push edi
                                mov dword ptr [esp], 53F78224h
                                or dword ptr [esp], 7AD4FD19h
                                add dword ptr [esp], 094EA9F2h
                                sub dword ptr [esp], 7EDDB306h
                                xor dword ptr [esp], 36D6C656h
                                mov dword ptr [esp], esi
                                push esi
                                mov esi, esp
                                add esi, 00000004h
                                sub esi, 00000004h
                                xchg dword ptr [esp], esi
                                pop esp
                                mov dword ptr [esp], ebx
                                mov dword ptr [esp], eax
                                push edi
                                mov dword ptr [esp], edx
                                mov dword ptr [esp], ebx
                                call 00007FFBA4C27AA6h
                                int3
                                push dword ptr [esp]
                                mov eax, dword ptr [esp]
                                add esp, 04h
                                add esp, 00000004h
                                push eax
                                mov ebx, dword ptr [esp]
                                push edi
                                mov edi, esp
                                add edi, 00000004h
                                add edi, 04h
                                xchg dword ptr [esp], edi
                                pop esp
                                push ebp
                                mov ebp, 00000001h
                                add eax, ebp
                                mov ebp, dword ptr [esp]
                                add esp, 04h
                                push ebx
                                push ecx
                                push 5FE358F9h
                                pop ecx
                                shl ecx, 05h
                                xor ecx, 8704BB84h
                                push ecx
                                sub dword ptr [esp], 4AE90521h
                                pop ebx
                                add ebx, 4AE90521h
                                pop ecx
                                and ebx, 7EFFEAC0h
                                or ebx, 77FF4FAFh
                                add ebx, 7FFA94F5h
                                sub ebx, FFDFE4A4h
                                sub eax, ebx
                                pop ebx
                                sub eax, 0E6E004Dh
                                add eax, 0E6E0000h
                                cmp byte ptr [ebx], FFFFFFCCh

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x5a65580x4cjgtpuhbl
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13b0550x69.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x2b58.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x13b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x1370000x906009b46898171af12ae8f817b7b5eb30aedFalse0.9988822375541125data7.977067116075123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x1380000x2b580xc00adc75844984f0b50333f31ea9c306356False0.83984375data7.036235070221089IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x13b0000x10000x200745dea56938759dccaf9e183aa01b020False0.146484375data0.998472215956371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x13c0000x2c30000x200710cac2f137cecb62b5cb37aac1060d4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                jgtpuhbl0x3ff0000x1aa0000x1aa000d9a39297acb29345d8359a749d8bd3b1False0.9899673103726526data7.950675403597083IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ikxokzqh0x5a90000x10000x40041bee5a50a13964c9c82fe7780e23fafFalse0.7890625data6.155091484572297IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x5a65a40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.1892116182572614
                                RT_GROUP_ICON0x5a8b4c0x14dataRussianRussia1.15
                                RT_VERSION0x5a8b600x2e4dataRussianRussia0.4689189189189189
                                RT_MANIFEST0x5a8e440x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Exports

                                NameOrdinalAddress
                                Start10x466e80

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                RussianRussia
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-25T23:24:33.785844+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.5193.233.132.74
                                2024-07-25T23:24:39.989292+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970758709192.168.2.5193.233.132.74
                                2024-07-25T23:25:17.804075+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971613.85.23.86192.168.2.5
                                2024-07-25T23:24:37.004080+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970758709192.168.2.5193.233.132.74
                                2024-07-25T23:24:30.824970+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970558709192.168.2.5193.233.132.74
                                2024-07-25T23:24:48.317488+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4971558709192.168.2.5193.233.132.74
                                2024-07-25T23:24:33.786068+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970658709192.168.2.5193.233.132.74
                                2024-07-25T23:24:25.287527+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970458709192.168.2.5193.233.132.74
                                2024-07-25T23:24:39.689012+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970813.85.23.86192.168.2.5
                                2024-07-25T23:24:30.827995+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970658709192.168.2.5193.233.132.74
                                2024-07-25T23:24:28.254825+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970458709192.168.2.5193.233.132.74

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 25, 2024 23:24:25.245265007 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:25.250415087 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:25.250529051 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:25.287527084 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:25.292727947 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:28.254825115 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:28.261090994 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:30.783601046 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:30.785963058 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:30.789261103 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:30.789341927 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:30.790797949 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:30.790855885 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:30.824970007 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:30.827995062 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:30.830615044 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:30.833266973 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:33.785844088 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:33.786067963 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:33.944892883 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:33.944935083 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:36.977360010 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:36.985902071 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:36.986036062 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:37.004080057 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:37.009527922 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:39.989291906 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:40.106304884 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:45.324544907 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:45.329530001 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:45.329615116 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:45.346700907 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:45.351624966 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:46.661643982 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:46.661739111 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:48.317487955 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:48.322757959 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:52.172631025 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:52.172768116 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:52.194489956 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:52.194577932 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:24:58.369255066 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 23:24:58.369420052 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 23:25:06.741308928 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 23:25:06.741446972 CEST4971558709192.168.2.5193.233.132.74

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:17:24:19
                                Start date:25/07/2024
                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_163.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_163.exe"
                                Imagebase:0x20000
                                File size:2'345'480 bytes
                                MD5 hash:A472AFB64B5C6F61AC63639FBD778001
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2036461002.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:17:24:24
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Imagebase:0x4a0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:17:24:24
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:17:24:24
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Imagebase:0x4a0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:17:24:24
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:17:24:25
                                Start date:25/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0x1d0000
                                File size:2'345'480 bytes
                                MD5 hash:A472AFB64B5C6F61AC63639FBD778001
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2098792181.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:7
                                Start time:17:24:25
                                Start date:25/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0x1d0000
                                File size:2'345'480 bytes
                                MD5 hash:A472AFB64B5C6F61AC63639FBD778001
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2097834723.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:8
                                Start time:17:24:34
                                Start date:25/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x130000
                                File size:2'345'480 bytes
                                MD5 hash:A472AFB64B5C6F61AC63639FBD778001
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.2174447764.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:10
                                Start time:17:24:42
                                Start date:25/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x130000
                                File size:2'345'480 bytes
                                MD5 hash:A472AFB64B5C6F61AC63639FBD778001
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2257587629.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.4%
                                  Dynamic/Decrypted Code Coverage:1.7%
                                  Signature Coverage:4.3%
                                  Total number of Nodes:348
                                  Total number of Limit Nodes:55
                                  execution_graph 20726 34100 GetPEB RtlAllocateHeap __fread_nolock 20228 2a210 20261 ff290 20228->20261 20230 2a248 20266 22ae0 20230->20266 20232 2a28b 20282 105362 20232->20282 20236 2a377 20238 2a34e 20238->20236 20311 1047b0 RtlAllocateHeap ___std_exception_copy __Getctype 20238->20311 20242 109136 4 API calls 20243 2a2fc 20242->20243 20248 2a318 20243->20248 20297 8cf60 20243->20297 20302 10dbdf 20248->20302 20263 221d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 20261->20263 20262 ff2af 20262->20230 20263->20262 20312 100651 RtlAllocateHeap __freea ___std_exception_copy 20263->20312 20265 22213 20265->20230 20267 22ba5 20266->20267 20273 22af6 20266->20273 20313 22270 RtlAllocateHeap __fread_nolock std::_Xinvalid_argument 20267->20313 20268 22b02 std::_Locinfo::_Locinfo_ctor 20268->20232 20270 22b2a 20277 ff290 std::_Facet_Register RtlAllocateHeap 20270->20277 20271 22baa 20314 221d0 RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 20271->20314 20273->20268 20273->20270 20275 22b65 20273->20275 20276 22b6e 20273->20276 20274 22b3d 20281 22b46 std::_Locinfo::_Locinfo_ctor 20274->20281 20315 1047b0 RtlAllocateHeap ___std_exception_copy __Getctype 20274->20315 20275->20270 20275->20271 20280 ff290 std::_Facet_Register RtlAllocateHeap 20276->20280 20276->20281 20277->20274 20280->20281 20281->20232 20316 1052a0 20282->20316 20284 2a2d7 20284->20238 20285 109136 20284->20285 20286 109149 ___std_exception_copy 20285->20286 20349 108e8d 20286->20349 20288 10915e 20356 1044dc 20288->20356 20291 104eeb 20292 104efe ___std_exception_copy 20291->20292 20462 104801 20292->20462 20294 104f0a 20295 1044dc ___std_exception_copy RtlAllocateHeap 20294->20295 20296 2a2f0 20295->20296 20296->20242 20298 8cf78 __fread_nolock 20297->20298 20299 8cfa7 20297->20299 20298->20248 20500 90560 20299->20500 20301 8cfba 20301->20248 20518 10dbfc 20302->20518 20304 2a348 20305 108be8 20304->20305 20306 108bfb ___std_exception_copy 20305->20306 20633 108ac3 20306->20633 20308 108c07 20309 1044dc ___std_exception_copy RtlAllocateHeap 20308->20309 20310 108c13 20309->20310 20310->20238 20312->20265 20313->20271 20314->20274 20319 1052ac __fread_nolock 20316->20319 20317 1052b3 20334 10d23f RtlAllocateHeap __dosmaperr 20317->20334 20319->20317 20321 1052d3 20319->20321 20320 1052b8 20335 1047a0 RtlAllocateHeap ___std_exception_copy 20320->20335 20323 1052e5 20321->20323 20324 1052d8 20321->20324 20330 116688 20323->20330 20336 10d23f RtlAllocateHeap __dosmaperr 20324->20336 20327 1052ee 20329 1052c3 20327->20329 20337 10d23f RtlAllocateHeap __dosmaperr 20327->20337 20329->20284 20331 116694 __fread_nolock std::_Lockit::_Lockit 20330->20331 20338 11672c 20331->20338 20333 1166af 20333->20327 20334->20320 20335->20329 20336->20329 20337->20329 20339 11674f __fread_nolock 20338->20339 20343 116795 __fread_nolock 20339->20343 20344 1163f3 20339->20344 20341 1167b0 20348 116db3 RtlAllocateHeap __dosmaperr 20341->20348 20343->20333 20345 116400 __dosmaperr std::_Facet_Register 20344->20345 20346 11642b RtlAllocateHeap 20345->20346 20347 11643e __dosmaperr 20345->20347 20346->20345 20346->20347 20347->20341 20348->20343 20351 108e99 __fread_nolock 20349->20351 20350 108e9f 20371 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20350->20371 20351->20350 20353 108ee2 __fread_nolock 20351->20353 20362 109010 20353->20362 20354 108eba 20354->20288 20357 1044e8 20356->20357 20358 1044ff 20357->20358 20460 104587 RtlAllocateHeap ___std_exception_copy __Getctype 20357->20460 20360 2a2ea 20358->20360 20461 104587 RtlAllocateHeap ___std_exception_copy __Getctype 20358->20461 20360->20291 20363 109023 20362->20363 20364 109036 20362->20364 20363->20354 20372 108f37 20364->20372 20366 1090e7 20366->20354 20367 109059 20367->20366 20376 1055d3 20367->20376 20371->20354 20373 108f48 20372->20373 20374 108fa0 20372->20374 20373->20374 20385 10e13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 20373->20385 20374->20367 20377 1055ec 20376->20377 20378 105613 20376->20378 20377->20378 20386 115f82 20377->20386 20382 10e17d 20378->20382 20380 105608 20393 11538b 20380->20393 20437 10e05c 20382->20437 20384 10e196 20384->20366 20385->20374 20387 115fa3 20386->20387 20388 115f8e 20386->20388 20387->20380 20400 10d23f RtlAllocateHeap __dosmaperr 20388->20400 20390 115f93 20401 1047a0 RtlAllocateHeap ___std_exception_copy 20390->20401 20392 115f9e 20392->20380 20395 115397 __fread_nolock 20393->20395 20394 1153d8 20416 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20394->20416 20395->20394 20397 11541e 20395->20397 20398 11539f 20395->20398 20397->20398 20402 11549c 20397->20402 20398->20378 20400->20390 20401->20392 20403 1154c4 20402->20403 20406 1154e7 __fread_nolock 20402->20406 20404 1154c8 20403->20404 20407 115523 20403->20407 20422 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20404->20422 20406->20398 20408 115541 20407->20408 20410 10e17d 2 API calls 20407->20410 20417 114fe1 20408->20417 20410->20408 20412 1155a0 20412->20406 20414 115609 WriteFile 20412->20414 20413 115559 20413->20406 20423 114bb2 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_ctor _ValidateLocalCookies 20413->20423 20414->20406 20416->20398 20424 120d44 20417->20424 20419 115021 20419->20412 20419->20413 20420 114ff3 20420->20419 20433 109d10 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_ctor ___std_exception_copy 20420->20433 20422->20406 20423->20406 20425 120d51 20424->20425 20426 120d5e 20424->20426 20434 10d23f RtlAllocateHeap __dosmaperr 20425->20434 20430 120d6a 20426->20430 20435 10d23f RtlAllocateHeap __dosmaperr 20426->20435 20429 120d56 20429->20420 20430->20420 20431 120d8b 20436 1047a0 RtlAllocateHeap ___std_exception_copy 20431->20436 20433->20419 20434->20429 20435->20431 20436->20429 20442 11a6de 20437->20442 20439 10e06e 20440 10e08a SetFilePointerEx 20439->20440 20441 10e076 __fread_nolock 20439->20441 20440->20441 20441->20384 20443 11a700 20442->20443 20444 11a6eb 20442->20444 20449 11a725 20443->20449 20457 10d22c RtlAllocateHeap __dosmaperr 20443->20457 20455 10d22c RtlAllocateHeap __dosmaperr 20444->20455 20446 11a6f0 20456 10d23f RtlAllocateHeap __dosmaperr 20446->20456 20449->20439 20450 11a730 20458 10d23f RtlAllocateHeap __dosmaperr 20450->20458 20452 11a6f8 20452->20439 20453 11a738 20459 1047a0 RtlAllocateHeap ___std_exception_copy 20453->20459 20455->20446 20456->20452 20457->20450 20458->20453 20459->20452 20460->20358 20461->20360 20463 10480d __fread_nolock 20462->20463 20464 104814 20463->20464 20465 104835 __fread_nolock 20463->20465 20472 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20464->20472 20469 104910 20465->20469 20468 10482d 20468->20294 20473 104942 20469->20473 20471 104922 20471->20468 20472->20468 20474 104951 20473->20474 20475 104979 20473->20475 20489 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20474->20489 20476 115f82 __fread_nolock RtlAllocateHeap 20475->20476 20478 104982 20476->20478 20486 10e11f 20478->20486 20479 10496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20479->20471 20482 104a43 20482->20479 20491 104ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20482->20491 20483 104a2c 20490 104cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 20483->20490 20492 10df37 20486->20492 20488 1049a0 20488->20479 20488->20482 20488->20483 20489->20479 20490->20479 20491->20479 20493 10df43 __fread_nolock 20492->20493 20494 10df86 20493->20494 20496 10dfcc 20493->20496 20498 10df4b 20493->20498 20499 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20494->20499 20497 10e05c __fread_nolock 2 API calls 20496->20497 20496->20498 20497->20498 20498->20488 20499->20498 20501 906a9 20500->20501 20506 90585 20500->20506 20515 22270 RtlAllocateHeap __fread_nolock std::_Xinvalid_argument 20501->20515 20503 9059a 20507 ff290 std::_Facet_Register RtlAllocateHeap 20503->20507 20504 906ae 20516 221d0 RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 20504->20516 20506->20503 20508 905e3 20506->20508 20510 905f0 20506->20510 20513 905aa __fread_nolock std::_Locinfo::_Locinfo_ctor 20507->20513 20508->20503 20508->20504 20512 ff290 std::_Facet_Register RtlAllocateHeap 20510->20512 20510->20513 20512->20513 20514 90667 __fread_nolock std::_Locinfo::_Locinfo_ctor 20513->20514 20517 1047b0 RtlAllocateHeap ___std_exception_copy __Getctype 20513->20517 20514->20301 20515->20504 20516->20513 20519 10dc08 __fread_nolock 20518->20519 20520 10dc52 __fread_nolock 20519->20520 20521 10dc1b __fread_nolock 20519->20521 20525 10dc40 __fread_nolock 20519->20525 20527 10da06 20520->20527 20540 10d23f RtlAllocateHeap __dosmaperr 20521->20540 20524 10dc35 20541 1047a0 RtlAllocateHeap ___std_exception_copy 20524->20541 20525->20304 20528 10da18 __fread_nolock 20527->20528 20533 10da35 20527->20533 20529 10da25 20528->20529 20528->20533 20538 10da76 __fread_nolock 20528->20538 20601 10d23f RtlAllocateHeap __dosmaperr 20529->20601 20531 10da2a 20602 1047a0 RtlAllocateHeap ___std_exception_copy 20531->20602 20533->20525 20534 10dba1 __fread_nolock 20604 10d23f RtlAllocateHeap __dosmaperr 20534->20604 20536 115f82 __fread_nolock RtlAllocateHeap 20536->20538 20538->20533 20538->20534 20538->20536 20542 114623 20538->20542 20603 108a2b RtlAllocateHeap __fread_nolock __dosmaperr std::_Locinfo::_Locinfo_ctor ___std_exception_copy 20538->20603 20540->20524 20541->20525 20543 114635 20542->20543 20544 11464d 20542->20544 20611 10d22c RtlAllocateHeap __dosmaperr 20543->20611 20546 11498f 20544->20546 20550 114690 20544->20550 20629 10d22c RtlAllocateHeap __dosmaperr 20546->20629 20547 11463a 20612 10d23f RtlAllocateHeap __dosmaperr 20547->20612 20552 114642 20550->20552 20553 11469b 20550->20553 20559 1146cb 20550->20559 20551 114994 20630 10d23f RtlAllocateHeap __dosmaperr 20551->20630 20552->20538 20613 10d22c RtlAllocateHeap __dosmaperr 20553->20613 20556 1146a8 20631 1047a0 RtlAllocateHeap ___std_exception_copy 20556->20631 20557 1146a0 20614 10d23f RtlAllocateHeap __dosmaperr 20557->20614 20561 1146e4 20559->20561 20562 1146f1 20559->20562 20563 11471f 20559->20563 20561->20562 20567 11470d 20561->20567 20615 10d22c RtlAllocateHeap __dosmaperr 20562->20615 20605 116e2d 20563->20605 20566 1146f6 20616 10d23f RtlAllocateHeap __dosmaperr 20566->20616 20570 120d44 __fread_nolock RtlAllocateHeap 20567->20570 20585 11486b 20570->20585 20572 1146fd 20617 1047a0 RtlAllocateHeap ___std_exception_copy 20572->20617 20573 114739 20619 116db3 RtlAllocateHeap __dosmaperr 20573->20619 20576 1148e3 ReadFile 20577 114957 20576->20577 20578 1148fb 20576->20578 20586 114964 20577->20586 20591 1148b5 20577->20591 20578->20577 20597 1148d4 20578->20597 20579 114740 20580 114765 20579->20580 20581 11474a 20579->20581 20622 10e13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 20580->20622 20620 10d23f RtlAllocateHeap __dosmaperr 20581->20620 20585->20576 20593 11489b 20585->20593 20627 10d23f RtlAllocateHeap __dosmaperr 20586->20627 20587 11474f 20621 10d22c RtlAllocateHeap __dosmaperr 20587->20621 20589 114920 20625 114335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 20589->20625 20590 114937 20600 114708 __fread_nolock 20590->20600 20626 11417b SetFilePointerEx RtlAllocateHeap __fread_nolock 20590->20626 20591->20600 20623 10d1e5 RtlAllocateHeap __dosmaperr 20591->20623 20593->20591 20593->20597 20594 114969 20628 10d22c RtlAllocateHeap __dosmaperr 20594->20628 20597->20589 20597->20590 20597->20600 20624 116db3 RtlAllocateHeap __dosmaperr 20600->20624 20601->20531 20602->20533 20603->20538 20604->20531 20606 116e6b 20605->20606 20610 116e3b __dosmaperr std::_Facet_Register 20605->20610 20632 10d23f RtlAllocateHeap __dosmaperr 20606->20632 20608 116e56 RtlAllocateHeap 20609 114730 20608->20609 20608->20610 20618 116db3 RtlAllocateHeap __dosmaperr 20609->20618 20610->20606 20610->20608 20611->20547 20612->20552 20613->20557 20614->20556 20615->20566 20616->20572 20617->20600 20618->20573 20619->20579 20620->20587 20621->20600 20622->20567 20623->20600 20624->20552 20625->20600 20626->20600 20627->20594 20628->20600 20629->20551 20630->20556 20631->20552 20632->20609 20634 108acf __fread_nolock 20633->20634 20635 108ad9 20634->20635 20637 108afc __fread_nolock 20634->20637 20654 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20635->20654 20639 108af4 20637->20639 20640 108b5a 20637->20640 20639->20308 20641 108b67 20640->20641 20642 108b8a 20640->20642 20666 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20641->20666 20644 1055d3 4 API calls 20642->20644 20651 108b82 20642->20651 20645 108ba2 20644->20645 20655 116ded 20645->20655 20648 115f82 __fread_nolock RtlAllocateHeap 20649 108bb6 20648->20649 20659 114a3f 20649->20659 20651->20639 20654->20639 20656 116e04 20655->20656 20657 108baa 20655->20657 20656->20657 20668 116db3 RtlAllocateHeap __dosmaperr 20656->20668 20657->20648 20661 114a68 20659->20661 20665 108bbd 20659->20665 20660 114ab7 20673 104723 RtlAllocateHeap ___std_exception_copy __Getctype 20660->20673 20661->20660 20663 114a8f 20661->20663 20669 1149ae 20663->20669 20665->20651 20667 116db3 RtlAllocateHeap __dosmaperr 20665->20667 20666->20651 20667->20651 20668->20657 20670 1149ba __fread_nolock 20669->20670 20672 1149f9 20670->20672 20674 114b12 20670->20674 20672->20665 20673->20665 20675 11a6de __fread_nolock RtlAllocateHeap 20674->20675 20677 114b22 20675->20677 20678 11a6de __fread_nolock RtlAllocateHeap 20677->20678 20683 114b28 20677->20683 20685 114b5a 20677->20685 20682 114b51 20678->20682 20679 11a6de __fread_nolock RtlAllocateHeap 20680 114b66 FindCloseChangeNotification 20679->20680 20680->20683 20681 114b80 __fread_nolock 20681->20672 20684 11a6de __fread_nolock RtlAllocateHeap 20682->20684 20686 11a64d RtlAllocateHeap __dosmaperr 20683->20686 20684->20685 20685->20679 20685->20683 20686->20681 20690 4c505dc GetCurrentHwProfileW GetCurrentHwProfileW GetCurrentHwProfileW 20693 3e0a0 WSAStartup 20694 3e0d8 20693->20694 20697 3e1a7 20693->20697 20695 3e175 socket 20694->20695 20694->20697 20696 3e18b connect 20695->20696 20695->20697 20696->20697 20698 3e19d closesocket 20696->20698 20698->20695 20698->20697 20211 4c50905 20213 4c50893 GetCurrentHwProfileW 20211->20213 20214 4c50932 20213->20214 20733 229c0 RtlAllocateHeap 20217 83a40 20220 83a55 20217->20220 20218 83b28 GetPEB 20218->20220 20219 83a73 GetPEB 20219->20220 20220->20218 20220->20219 20221 83b9d Sleep 20220->20221 20222 83ae8 Sleep 20220->20222 20223 83bc7 20220->20223 20221->20220 20222->20220 20729 39f50 5 API calls 3 library calls 20725 340e0 GetSystemTimePreciseAsFileTime __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __Xtime_get_ticks 20731 22770 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_ctor 20708 4c507b1 GetCurrentHwProfileW GetCurrentHwProfileW 20732 10d168 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap ___std_exception_copy 20709 4c5083e GetCurrentHwProfileW

                                  Executed Functions

                                  Function 0003E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 3e0a0-3e0d2 WSAStartup 1 3e1b7-3e1c0 0->1 2 3e0d8-3e102 call 26bd0 * 2 0->2 7 3e104-3e108 2->7 8 3e10e-3e165 2->8 7->1 7->8 10 3e1b1-3e1b6 8->10 11 3e167-3e16d 8->11 10->1 12 3e1c5-3e1cf 11->12 13 3e16f 11->13 12->10 18 3e1d1-3e1d9 12->18 14 3e175-3e189 socket 13->14 14->10 17 3e18b-3e19b connect 14->17 19 3e1c1 17->19 20 3e19d-3e1a5 closesocket 17->20 19->12 20->14 21 3e1a7-3e1b0 20->21 21->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: c01d161537f89b2f65af89b2e7abdf9b800bc31fc2f7822ad0b49fa9542325e3
                                  • Instruction ID: 2826e0844d2f9c981b14b264102de5aa149e430c7131163122bb864bb4509011
                                  • Opcode Fuzzy Hash: c01d161537f89b2f65af89b2e7abdf9b800bc31fc2f7822ad0b49fa9542325e3
                                  • Instruction Fuzzy Hash: 2B31C172605301ABD7229F24DC45B2BB7E8EB85734F115F1DF9A4972E0D33198048B92
                                  Function 00083A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 695 83a40-83a52 696 83a55-83a61 695->696 698 83b28-83b31 GetPEB 696->698 699 83a67-83a6d 696->699 701 83b34-83b48 698->701 699->698 700 83a73-83a7f GetPEB 699->700 704 83a80-83a94 700->704 702 83b99-83b9b 701->702 703 83b4a-83b4f 701->703 702->701 703->702 705 83b51-83b59 703->705 706 83ae4-83ae6 704->706 707 83a96-83a9b 704->707 708 83b60-83b73 705->708 706->704 707->706 709 83a9d-83aa3 707->709 710 83b92-83b97 708->710 711 83b75-83b88 708->711 712 83aa5-83ab8 709->712 710->702 710->708 711->711 713 83b8a-83b90 711->713 714 83aba 712->714 715 83add-83ae2 712->715 713->710 716 83b9d-83bc2 Sleep 713->716 717 83ac0-83ad3 714->717 715->706 715->712 716->696 717->717 718 83ad5-83adb 717->718 718->715 719 83ae8-83b0d Sleep 718->719 720 83b13-83b1a 719->720 720->698 721 83b1c-83b22 720->721 721->698 722 83bc7-83bd8 call 26bd0 721->722 725 83bda-83bdc 722->725 726 83bde 722->726 727 83be0-83bfd call 26bd0 725->727 726->727
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00083DB6), ref: 00083B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00083DB6), ref: 00083BBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: b0a80ffd53dd6ad1679ddcbe5a81991d5e4b5f203168415f2a2909aa4bc4b911
                                  • Instruction ID: e4789f9bf0c6cf28f641e5f09603e3232ec3e342b7b9338d13ab2cf3eb9c877a
                                  • Opcode Fuzzy Hash: b0a80ffd53dd6ad1679ddcbe5a81991d5e4b5f203168415f2a2909aa4bc4b911
                                  • Instruction Fuzzy Hash: 6E51BC35A041158FCB28DF58C4D0EAAB7F1FF84B04B294599D585AB351D731EE45CB80
                                  Function 04C50833 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d9ce1af4ddefd995d81e95e473cc1470629fc03b27749242c0b5d0803d9f6eca
                                  • Instruction ID: 9b50a9593f7ea21f61dd41038399a6c360ce17b18a587843cf6a9cc88e01dbd4
                                  • Opcode Fuzzy Hash: d9ce1af4ddefd995d81e95e473cc1470629fc03b27749242c0b5d0803d9f6eca
                                  • Instruction Fuzzy Hash: 113127EB34C125BCB10281432B64EFF57AEE2D6B307388826FC07D1516F3846AC9647A
                                  Function 04C506E0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 334COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: 246996ede7f617b61a337492c8f3c2f3a8f74304a52d0397e68f2452785af8ca
                                  • Instruction ID: a5740ea8ea83b845bf1ce36b61b55613ca32ed2af840aae0d29af6e96069ed0e
                                  • Opcode Fuzzy Hash: 246996ede7f617b61a337492c8f3c2f3a8f74304a52d0397e68f2452785af8ca
                                  • Instruction Fuzzy Hash: AA516AEB20C121BDB10195436B64EFF676EE6D2B70738882AFC07D1516F3942EC9643A
                                  Function 04C506C8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 329COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 80 4c506c8-4c507ea call 4c507a5 92 4c507fc-4c5082c call 4c50833 80->92 96 4c507ec-4c507fa 92->96 97 4c5082e-4c50835 92->97 96->92 98 4c50837-4c50897 97->98 99 4c50898-4c508a6 97->99 104 4c508ae-4c508e4 98->104 101 4c508f9 99->101 102 4c508a8-4c508ad 99->102 105 4c508fb-4c50917 101->105 102->104 104->105 109 4c50928-4c50931 GetCurrentHwProfileW 105->109 112 4c50932-4c50b40 call 4c50b4f 109->112
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: d7a65a6718027e12feeee6bda61e21930e6e8c3400c595e5f95400c97c0d3754
                                  • Instruction ID: 2c16fcb8c1729fd047ee08756f3521901212019c8425f6da36c9466ad9d3bf32
                                  • Opcode Fuzzy Hash: d7a65a6718027e12feeee6bda61e21930e6e8c3400c595e5f95400c97c0d3754
                                  • Instruction Fuzzy Hash: 975136EB20C121BDB10285432F64EFF576EE6D2B70738882AFD07D5516F3942AC9643A
                                  Function 04C506D5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 328COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 135 4c506d5-4c507ea call 4c507a5 147 4c507fc-4c5082c call 4c50833 135->147 151 4c507ec-4c507fa 147->151 152 4c5082e-4c50835 147->152 151->147 153 4c50837-4c50897 152->153 154 4c50898-4c508a6 152->154 159 4c508ae-4c508e4 153->159 156 4c508f9 154->156 157 4c508a8-4c508ad 154->157 160 4c508fb-4c50917 156->160 157->159 159->160 164 4c50928-4c50931 GetCurrentHwProfileW 160->164 167 4c50932-4c50b40 call 4c50b4f 164->167
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: c20bbb7fe7d45e98e3b0aeea4f1e861d93335b7ad628632aee104da5dddbe8c8
                                  • Instruction ID: 44ac6443fa9d8232f938258fb28901a95f5e96da3781ac76d6cc5d616047d595
                                  • Opcode Fuzzy Hash: c20bbb7fe7d45e98e3b0aeea4f1e861d93335b7ad628632aee104da5dddbe8c8
                                  • Instruction Fuzzy Hash: 7A5149EB20C125BDB10185432F64EFF576EE6D2B70738882AFC07D1516F3942AC9643A
                                  Function 04C506F8 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 320COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 190 4c506f8-4c507ea call 4c507a5 200 4c507fc-4c5082c call 4c50833 190->200 204 4c507ec-4c507fa 200->204 205 4c5082e-4c50835 200->205 204->200 206 4c50837-4c50897 205->206 207 4c50898-4c508a6 205->207 212 4c508ae-4c508e4 206->212 209 4c508f9 207->209 210 4c508a8-4c508ad 207->210 213 4c508fb-4c50917 209->213 210->212 212->213 217 4c50928-4c50931 GetCurrentHwProfileW 213->217 220 4c50932-4c50b40 call 4c50b4f 217->220
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: 240e7a9c83e62ea0460cec2b178b3677852f298a9acbd014d2f8e314d28e2d37
                                  • Instruction ID: 2b05c09971438bc94f49f4ea19fe7b0f2a7eb280594e1b92d65a5eb0ed8d10b5
                                  • Opcode Fuzzy Hash: 240e7a9c83e62ea0460cec2b178b3677852f298a9acbd014d2f8e314d28e2d37
                                  • Instruction Fuzzy Hash: 14514AEB20C111BDB10285432B64EFF576EE6D2770738882AFD07D1516F3942EC9643A
                                  Function 04C50745 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 302COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 243 4c50745-4c5074a 244 4c5074c 243->244 245 4c5072b-4c50740 243->245 246 4c5074e-4c507ea call 4c507a5 244->246 245->246 253 4c507fc-4c5082c call 4c50833 246->253 257 4c507ec-4c507fa 253->257 258 4c5082e-4c50835 253->258 257->253 259 4c50837-4c50897 258->259 260 4c50898-4c508a6 258->260 265 4c508ae-4c508e4 259->265 262 4c508f9 260->262 263 4c508a8-4c508ad 260->263 266 4c508fb-4c50917 262->266 263->265 265->266 270 4c50928-4c50931 GetCurrentHwProfileW 266->270 273 4c50932-4c50b40 call 4c50b4f 270->273
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: _$4|
                                  • API String ID: 0-1878515764
                                  • Opcode ID: 9686d742fffeb5e5947d805e7581cc8052951e0d8be3a6c6a2ed6a80faa88e04
                                  • Instruction ID: 4f927c3b9ef2ba98afa71cc5f9d8a08f2af44faff600d7d7c3c994a4250b6e79
                                  • Opcode Fuzzy Hash: 9686d742fffeb5e5947d805e7581cc8052951e0d8be3a6c6a2ed6a80faa88e04
                                  • Instruction Fuzzy Hash: 44516CEB30C111BDB10195532B64EFF57AEE6D2770738882AFD07D2516F3946AC9603A
                                  Function 04C50729 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 299COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 4c50729-4c507ea call 4c507a5 304 4c507fc-4c5082c call 4c50833 296->304 308 4c507ec-4c507fa 304->308 309 4c5082e-4c50835 304->309 308->304 310 4c50837-4c50897 309->310 311 4c50898-4c508a6 309->311 316 4c508ae-4c508e4 310->316 313 4c508f9 311->313 314 4c508a8-4c508ad 311->314 317 4c508fb-4c50917 313->317 314->316 316->317 321 4c50928-4c50931 GetCurrentHwProfileW 317->321 324 4c50932-4c50b40 call 4c50b4f 321->324
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: e8865bd2d7933f1be8a3792bf8f192d26e7432d79d8a7e8b7a3dfade4ccadf71
                                  • Instruction ID: 729d76aa563f3df02e66ee1d12b1617e19dfab8f0f959f34f2e9ac47547f75b8
                                  • Opcode Fuzzy Hash: e8865bd2d7933f1be8a3792bf8f192d26e7432d79d8a7e8b7a3dfade4ccadf71
                                  • Instruction Fuzzy Hash: 9F516AEB20C111BDB10295532B64EFF57AEE6D2770738882AFD07D2516F3946AC9603A
                                  Function 04C50760 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 285COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 347 4c50760-4c507ea call 4c507a5 354 4c507fc-4c5082c call 4c50833 347->354 358 4c507ec-4c507fa 354->358 359 4c5082e-4c50835 354->359 358->354 360 4c50837-4c50897 359->360 361 4c50898-4c508a6 359->361 366 4c508ae-4c508e4 360->366 363 4c508f9 361->363 364 4c508a8-4c508ad 361->364 367 4c508fb-4c50917 363->367 364->366 366->367 371 4c50928-4c50931 GetCurrentHwProfileW 367->371 374 4c50932-4c50b40 call 4c50b4f 371->374
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: _$4|
                                  • API String ID: 0-1878515764
                                  • Opcode ID: ffa7130626d9f3a9d67a0805a3656356514b3030e1c72ce8fd02b48d046ab860
                                  • Instruction ID: d9c5097d38689f816befba03dbe8816e4ac30374b801bd0cd18a92c2ca7d30f3
                                  • Opcode Fuzzy Hash: ffa7130626d9f3a9d67a0805a3656356514b3030e1c72ce8fd02b48d046ab860
                                  • Instruction Fuzzy Hash: 76517CEB20C115BCB10281432B64EFF57AEE6D27707388836FD07D2516F2942EC9647A
                                  Function 04C50769 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 281COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 4c50769-4c507ea call 4c507a5 403 4c507fc-4c5082c call 4c50833 397->403 407 4c507ec-4c507fa 403->407 408 4c5082e-4c50835 403->408 407->403 409 4c50837-4c50897 408->409 410 4c50898-4c508a6 408->410 415 4c508ae-4c508e4 409->415 412 4c508f9 410->412 413 4c508a8-4c508ad 410->413 416 4c508fb-4c50917 412->416 413->415 415->416 420 4c50928-4c50931 GetCurrentHwProfileW 416->420 423 4c50932-4c50b40 call 4c50b4f 420->423
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: 14ee203a0b24db369d8fb530147515552971e4f1cb66d7e62b1bc0078bdab333
                                  • Instruction ID: c5eae8bff92d213489ad0a04b7113cdf3336234dcf4b27193dc3d97050480542
                                  • Opcode Fuzzy Hash: 14ee203a0b24db369d8fb530147515552971e4f1cb66d7e62b1bc0078bdab333
                                  • Instruction Fuzzy Hash: 1C516AEB20C115BCB10285436B64EFF676EE6D27707388826FD07D2516F3942AC9647A
                                  Function 04C507A5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 268COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 446 4c507a5-4c507ea 449 4c507fc-4c5082c call 4c50833 446->449 453 4c507ec-4c507fa 449->453 454 4c5082e-4c50835 449->454 453->449 455 4c50837-4c50897 454->455 456 4c50898-4c508a6 454->456 461 4c508ae-4c508e4 455->461 458 4c508f9 456->458 459 4c508a8-4c508ad 456->459 462 4c508fb-4c50917 458->462 459->461 461->462 466 4c50928-4c50931 GetCurrentHwProfileW 462->466 469 4c50932-4c50b40 call 4c50b4f 466->469
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: c5a4f84f99467a79031931f1a9f0c162ceedc19b7402a7cc6c8fda3ff59cbac3
                                  • Instruction ID: f7eb50d7a07ba89e442cade0e8a88266783c90eabdce447d7ff7c4ea5b26a598
                                  • Opcode Fuzzy Hash: c5a4f84f99467a79031931f1a9f0c162ceedc19b7402a7cc6c8fda3ff59cbac3
                                  • Instruction Fuzzy Hash: 66518EEB24C1117CB10285436B54EFF6B6EE6D27707388826FC07D5116F2846EC9617A
                                  Function 04C507C3 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 492 4c507c3-4c507ea 494 4c507fc-4c5082c call 4c50833 492->494 498 4c507ec-4c507fa 494->498 499 4c5082e-4c50835 494->499 498->494 500 4c50837-4c50897 499->500 501 4c50898-4c508a6 499->501 506 4c508ae-4c508e4 500->506 503 4c508f9 501->503 504 4c508a8-4c508ad 501->504 507 4c508fb-4c50917 503->507 504->506 506->507 511 4c50928-4c50931 GetCurrentHwProfileW 507->511 514 4c50932-4c50b40 call 4c50b4f 511->514
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: aaaeb8968f96ba5febdcdd6b755d6479d9fea8622aa0b712809aed48be602db8
                                  • Instruction ID: de15f3ffa7a51e69714eee93fe4f52f19e6c89001ee10a0620d5beb5ed2c2e5e
                                  • Opcode Fuzzy Hash: aaaeb8968f96ba5febdcdd6b755d6479d9fea8622aa0b712809aed48be602db8
                                  • Instruction Fuzzy Hash: 6C415BEB24C115BCB10285432B64EFF676EE6D2730738883AFD07D1526F2946EC9607A
                                  Function 04C507B1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 537 4c507b1-4c507ea 540 4c507fc-4c5082c call 4c50833 537->540 544 4c507ec-4c507fa 540->544 545 4c5082e-4c50835 540->545 544->540 546 4c50837-4c50897 545->546 547 4c50898-4c508a6 545->547 552 4c508ae-4c508e4 546->552 549 4c508f9 547->549 550 4c508a8-4c508ad 547->550 553 4c508fb-4c50917 549->553 550->552 552->553 557 4c50928-4c50931 GetCurrentHwProfileW 553->557 560 4c50932-4c50b40 call 4c50b4f 557->560
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: _$4|
                                  • API String ID: 2104809126-1878515764
                                  • Opcode ID: cfa317993fff8397aa323c612ba5f12ebf24f9c58382a9ff56814567f0fdae4f
                                  • Instruction ID: 4846cb5ac9f7188514198cf887931f46eaf29892ef21ad9a3fdfdc332ee04e1c
                                  • Opcode Fuzzy Hash: cfa317993fff8397aa323c612ba5f12ebf24f9c58382a9ff56814567f0fdae4f
                                  • Instruction Fuzzy Hash: 43414BEB24C115BCB10281432B64EFF576EE6D67707388436FD07D1526F2846EC9607A
                                  Function 00114623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 583 114623-114633 584 114635-114648 call 10d22c call 10d23f 583->584 585 11464d-11464f 583->585 599 1149a7 584->599 587 114655-11465b 585->587 588 11498f-11499c call 10d22c call 10d23f 585->588 587->588 590 114661-11468a 587->590 607 1149a2 call 1047a0 588->607 590->588 593 114690-114699 590->593 596 1146b3-1146b5 593->596 597 11469b-1146ae call 10d22c call 10d23f 593->597 602 11498b-11498d 596->602 603 1146bb-1146bf 596->603 597->607 605 1149aa-1149ad 599->605 602->605 603->602 604 1146c5-1146c9 603->604 604->597 609 1146cb-1146e2 604->609 607->599 611 1146e4-1146e7 609->611 612 114717-11471d 609->612 614 1146e9-1146ef 611->614 615 11470d-114715 611->615 616 1146f1-114708 call 10d22c call 10d23f call 1047a0 612->616 617 11471f-114726 612->617 614->615 614->616 619 11478a-1147a9 615->619 648 1148c2 616->648 620 114728 617->620 621 11472a-11472b call 116e2d 617->621 624 114865-11486e call 120d44 619->624 625 1147af-1147bb 619->625 620->621 627 114730-114748 call 116db3 * 2 621->627 637 114870-114882 624->637 638 1148df 624->638 625->624 626 1147c1-1147c3 625->626 626->624 630 1147c9-1147ea 626->630 651 114765-114788 call 10e13d 627->651 652 11474a-114760 call 10d23f call 10d22c 627->652 630->624 634 1147ec-114802 630->634 634->624 639 114804-114806 634->639 637->638 642 114884-114893 637->642 643 1148e3-1148f9 ReadFile 638->643 639->624 646 114808-11482b 639->646 642->638 661 114895-114899 642->661 644 114957-114962 643->644 645 1148fb-114901 643->645 663 114964-114976 call 10d23f call 10d22c 644->663 664 11497b-11497e 644->664 645->644 649 114903 645->649 646->624 650 11482d-114843 646->650 653 1148c5-1148cf call 116db3 648->653 656 114906-114918 649->656 650->624 657 114845-114847 650->657 651->619 652->648 653->605 656->653 665 11491a-11491e 656->665 657->624 666 114849-114860 657->666 661->643 662 11489b-1148b3 661->662 683 1148b5-1148ba 662->683 684 1148d4-1148dd 662->684 663->648 673 114984-114986 664->673 674 1148bb-1148c1 call 10d1e5 664->674 671 114920-114930 call 114335 665->671 672 114937-114944 665->672 666->624 691 114933-114935 671->691 680 114950-114955 call 11417b 672->680 681 114946 call 11448c 672->681 673->653 674->648 692 11494b-11494e 680->692 681->692 683->674 684->656 691->653 692->691
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df5df6b3ff81df0ffd754a9702fb2e35624b70e591c6be74f7bfe7d42bd2f573
                                  • Instruction ID: c704f0c6f2771019082144b51c8e4ef4d14fbcdfc16ea98c2b87cc4d953729fc
                                  • Opcode Fuzzy Hash: df5df6b3ff81df0ffd754a9702fb2e35624b70e591c6be74f7bfe7d42bd2f573
                                  • Instruction Fuzzy Hash: EFB1E670E04249AFDB19DFE8E841BEEBBB1AF59704F144168E5549B292C770AD81CBA0
                                  Function 0002A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 730 2a210-2a2ab call ff290 call 22ae0 735 2a2b0-2a2bb 730->735 735->735 736 2a2bd-2a2c8 735->736 737 2a2ca 736->737 738 2a2cd-2a2de call 105362 736->738 737->738 741 2a2e0-2a305 call 109136 call 104eeb call 109136 738->741 742 2a351-2a357 738->742 759 2a307 741->759 760 2a30c-2a316 741->760 744 2a381-2a393 742->744 745 2a359-2a365 742->745 746 2a377-2a37e call ff511 745->746 747 2a367-2a375 745->747 746->744 747->746 749 2a394-2a3ae call 1047b0 747->749 757 2a3b0-2a3bb 749->757 757->757 761 2a3bd-2a3c8 757->761 759->760 762 2a328-2a32f call 8cf60 760->762 763 2a318-2a31c 760->763 764 2a3ca 761->764 765 2a3cd-2a3df call 105362 761->765 770 2a334-2a33a 762->770 766 2a320-2a326 763->766 767 2a31e 763->767 764->765 774 2a3e1-2a3f9 call 109136 call 104eeb call 108be8 765->774 775 2a3fc-2a403 765->775 766->770 767->766 772 2a33e-2a349 call 10dbdf call 108be8 770->772 773 2a33c 770->773 791 2a34e 772->791 773->772 774->775 776 2a405-2a411 775->776 777 2a42d-2a433 775->777 781 2a423-2a42a call ff511 776->781 782 2a413-2a421 776->782 781->777 782->781 785 2a434-2a45e call 1047b0 782->785 797 2a460-2a464 785->797 798 2a46f-2a474 785->798 791->742 797->798 799 2a466-2a46e 797->799
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 38dc4b22c3d6ed092849930564b76598d965698d032374d7aa7c8cf016f6fd9b
                                  • Instruction ID: ae9ef950b8e0da575611d6ed28f13e89748a7bdebbddb70b49ce1ca457aff34c
                                  • Opcode Fuzzy Hash: 38dc4b22c3d6ed092849930564b76598d965698d032374d7aa7c8cf016f6fd9b
                                  • Instruction Fuzzy Hash: 8F717C70A00214AFDB14DF68DC49BAFB7E8EF42710F10856DF8059B682DBB5DA41C7A2
                                  Function 04C507EF Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 454989915328d72f930a1881ab2f9d0471a69508614fa7a0f72529abfabf70b9
                                  • Instruction ID: 23fba6a41b570d23051e3df7a3bf33b45552c5fb015532eac85c6313a07e5b1f
                                  • Opcode Fuzzy Hash: 454989915328d72f930a1881ab2f9d0471a69508614fa7a0f72529abfabf70b9
                                  • Instruction Fuzzy Hash: 2F412CEB24C115BCB10185436B64EFF676EE6D6B307388826FD07D1516F3846EC96079
                                  Function 04C50810 Relevance: 1.7, APIs: 1, Instructions: 222COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 32fab0d0cfd7ab06342f8d6672489ed1bcfdaebe19e80076a5bad6ed79d375e0
                                  • Instruction ID: 31dbd3a22b49845d99a3d13a55a67496dde6e98436720fa832207012893b2142
                                  • Opcode Fuzzy Hash: 32fab0d0cfd7ab06342f8d6672489ed1bcfdaebe19e80076a5bad6ed79d375e0
                                  • Instruction Fuzzy Hash: 0A414BEB30C125BCB11185432B60EFF57AEE2D67307388826FC07D1526F3846AC9607A
                                  Function 04C5083E Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2e7171376ffd36bf3c7b54570031714496f56467e1cd7096eaec9cd81eac1f51
                                  • Instruction ID: 77cdf3dd632dd0c91e1b09bfdf5c73cd4184c27b587872afb0fe19d03919065c
                                  • Opcode Fuzzy Hash: 2e7171376ffd36bf3c7b54570031714496f56467e1cd7096eaec9cd81eac1f51
                                  • Instruction Fuzzy Hash: 49413BEB30C165BCB10285532B54EFF67AEE6D2B307388826FD07D1516F3842A89617A
                                  Function 04C50859 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 45b16287e7d32b8a8fbad7c8872e03350a2916f16ea484a09d1f1a6655099e8d
                                  • Instruction ID: 5b9e045fd61897521384bda92e7058364cd494694d6e16971aa9428577e89149
                                  • Opcode Fuzzy Hash: 45b16287e7d32b8a8fbad7c8872e03350a2916f16ea484a09d1f1a6655099e8d
                                  • Instruction Fuzzy Hash: 0D311AEB34C125BDB11185432B64EFF67AEE6D2730738882AFC07D1516F3856AC9603A
                                  Function 0011549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00109087,?,00000000,00000000,00000000,?,00000000,?,0002A3EB,00109087,00000000,0002A3EB,?,?), ref: 00115621
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: d7728ba1009a5c66eae4e9d6c42b3c0da45566ab53f5e138a08c6776a881c38c
                                  • Instruction ID: d2c801e467a1c1fe0f6b5c54fab927f8b9a40b7606fa9a0c8cc0c2cad9cdc476
                                  • Opcode Fuzzy Hash: d7728ba1009a5c66eae4e9d6c42b3c0da45566ab53f5e138a08c6776a881c38c
                                  • Instruction Fuzzy Hash: F061C171D04519EFDF19DFA8C884EEEBBBBAF99304F540169E800A7256D371D981CBA0
                                  Function 04C50905 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: be7d9828af38bff367a033df40cb834a71798f72c82c99ff9d9c5255c5f76250
                                  • Instruction ID: 83873a174b84bf0beff651c7882805e2b41a8cc972d15c988cf1298fdccd6974
                                  • Opcode Fuzzy Hash: be7d9828af38bff367a033df40cb834a71798f72c82c99ff9d9c5255c5f76250
                                  • Instruction Fuzzy Hash: D6313BEB30C115BCB11185432B60EFE57AFE6D27307388826FD07D551AF3856AC9607A
                                  Function 04C50890 Relevance: 1.7, APIs: 1, Instructions: 181COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 56a94cdb14f2a5e00e42cd84e6fb1d16e0a92ef498efba253b7bbd09d39535f2
                                  • Instruction ID: 1695950836b40b30acc88aea96e59e13f2946d239bb85d03545881fb4dc3a641
                                  • Opcode Fuzzy Hash: 56a94cdb14f2a5e00e42cd84e6fb1d16e0a92ef498efba253b7bbd09d39535f2
                                  • Instruction Fuzzy Hash: EF3107EB30C121BCB10185432B64EFF57AEE6D2B307388826FC07D151AF3856A89607A
                                  Function 04C508C9 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ac5be39bd8b0705b9787082c414ac7596d8f4a0b9c3cc807dce92ec5b021dcb9
                                  • Instruction ID: c3a8f838fab4ebb199bc150ab12094ee66a5482d4178f506c9019b27cdeb3c6b
                                  • Opcode Fuzzy Hash: ac5be39bd8b0705b9787082c414ac7596d8f4a0b9c3cc807dce92ec5b021dcb9
                                  • Instruction Fuzzy Hash: FF314BEB30C125BDB10181832B64EFF57AEE6D6730338882AFC07D511AF3855A89603A
                                  Function 04C508B7 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7fc601990c48629fcb18232598bae7df8e4512166f257728ec572fdd3f582b58
                                  • Instruction ID: 890ae30ae0f24b1cbde32c1500c00d406430838a590c8391746af41440e93785
                                  • Opcode Fuzzy Hash: 7fc601990c48629fcb18232598bae7df8e4512166f257728ec572fdd3f582b58
                                  • Instruction Fuzzy Hash: 38311AEB34C121BCB10185432B64EFF57AEE6D27307388826FC07D151AF3846A89643A
                                  Function 04C508E9 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C5092A
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505464326.0000000004C50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c50000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: fcf85ae936254f6aa7b12d961b2bdc203ee1e96d042eb8ddfbc84bbaa97f6fca
                                  • Instruction ID: 094cff802be3afe56d6e39592e3f8af2ffc670ee537ddff85b372f5e72938e17
                                  • Opcode Fuzzy Hash: fcf85ae936254f6aa7b12d961b2bdc203ee1e96d042eb8ddfbc84bbaa97f6fca
                                  • Instruction Fuzzy Hash: 84315EE730C151BCB14285432F50EFF67AED5D2730338846AFC07D5115F3941A89613A
                                  Function 00104942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5680664d298a5cf4d142bf44778696749a1fbb439eaa4d61aa2b2e804439b3fb
                                  • Instruction ID: ba233d524002e889bc2fad20444506d2d844de01dbefec968e0307d9a42a42a1
                                  • Opcode Fuzzy Hash: 5680664d298a5cf4d142bf44778696749a1fbb439eaa4d61aa2b2e804439b3fb
                                  • Instruction Fuzzy Hash: D451C8B4B00108EFDF14DF58CCC1AAA7BB1EF59354F258158F98A5B292D3B19E41CB90
                                  Function 00090560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 000906AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 28fb4cf4c10eace556036a502cf5ac0f93eab2d7ca73d8923a30892687505022
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 3341D472A001189FCF15DF68D8806AE7BE5AF89350F150169FC45EB342D770DD60ABE1
                                  Function 00114B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,001149F9,00000000,CF830579,00151140,0000000C,00114AB5,00108BBD,?), ref: 00114B68
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: cb44ae0f01028549c9c96333b1c67ec12c57c7dcd662576b835122e962c087ff
                                  • Instruction ID: d6e963730decad545ac22abb027e7b7ad2a74c99b108baaef99d3e6d5d527d7a
                                  • Opcode Fuzzy Hash: cb44ae0f01028549c9c96333b1c67ec12c57c7dcd662576b835122e962c087ff
                                  • Instruction Fuzzy Hash: 6311483264921417D62C22746801FFE6B8A8F92BB4F3A0279F8549B1C2EF60E8C1819D
                                  Function 0010E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00150DF8,0002A3EB,00000002,0002A3EB,00000000,?,?,?,0010E166,00000000,?,0002A3EB,00000002,00150DF8), ref: 0010E098
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 11a31a49a7d000fa43c68fbcf4cc219b87308b615e50134bf18913a3da644f46
                                  • Instruction ID: 7d02c6388e74c275cddb58488702e4bedf9059c134eb2e2fca7303924a52682d
                                  • Opcode Fuzzy Hash: 11a31a49a7d000fa43c68fbcf4cc219b87308b615e50134bf18913a3da644f46
                                  • Instruction Fuzzy Hash: E701D632714115AFCF199F5ADC05D9E3BAADF81324B250249F8909B2D1EBB2ED419BD0
                                  Function 000FF290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0002220E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 1125459d3e5761901e290a3259a531ffd300e40fad3cb3d5e7db945a87cd0ec8
                                  • Instruction ID: 387f39860ffb1a63e469a098416edf93c7b403ef64935046e8e26742352a4316
                                  • Opcode Fuzzy Hash: 1125459d3e5761901e290a3259a531ffd300e40fad3cb3d5e7db945a87cd0ec8
                                  • Instruction Fuzzy Hash: 28012B3540030DBBCB24AF98F8019B977EC9F00320F408439FB58DB991E7B0E9649790
                                  Function 001163F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,001091F7,00000000,?,00115D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0010D244,001089C3,001091F7,00000000), ref: 00116435
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 4d25b5ebf20d549e2ad9e7f5391648d1e5c2c1f542172cef05b0d0e94e400e4f
                                  • Instruction ID: 86ac2cb51e25eb995a9d605ce5c6e834559027cb9ca252c5fa8125ee6972bc37
                                  • Opcode Fuzzy Hash: 4d25b5ebf20d549e2ad9e7f5391648d1e5c2c1f542172cef05b0d0e94e400e4f
                                  • Instruction Fuzzy Hash: 84F0E932500224A6DB2D6B62AC02BEB7B489F41760F158031FC08969C0CB32E89182F1
                                  Function 00116E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0011D635,4D88C033,?,0011D635,00000220,?,001157EF,4D88C033), ref: 00116E5F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 4697d1b24e80cb33c329d45a4eb898a77d12f93164795edd45cd44ffe78760dd
                                  • Instruction ID: 5b4c8d43957fdc9e5a92baff4a54fd95909f28c0715b6b58cbe2d67be2228a7e
                                  • Opcode Fuzzy Hash: 4697d1b24e80cb33c329d45a4eb898a77d12f93164795edd45cd44ffe78760dd
                                  • Instruction Fuzzy Hash: ECE02B3A14362166DF386265ED017DB768C8F517B0F160330FC44960D0DF12CCC045E5
                                  Function 04C60119 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: faf49ec15b74a125d314485ec565e6f08de29f5068a69b84966295707c16de16
                                  • Instruction ID: d9626c6944f1e378f5dd3d910239f7c4087248b276cc69dc98183e0b047d6206
                                  • Opcode Fuzzy Hash: faf49ec15b74a125d314485ec565e6f08de29f5068a69b84966295707c16de16
                                  • Instruction Fuzzy Hash: FE11E7EB24C204BDA60395536AD49FB2B6BEAC3734335C467F403E1506F2E41B4AA532
                                  Function 04C600FC Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: 1c977d2c40772a29b30a916cedd3dd8b9c086208f31b2151469ea58571387d5d
                                  • Instruction ID: c4cf9f53cc2ea95a8d328e645631434829c5ad77fef29e54599dabaa7a2cc76e
                                  • Opcode Fuzzy Hash: 1c977d2c40772a29b30a916cedd3dd8b9c086208f31b2151469ea58571387d5d
                                  • Instruction Fuzzy Hash: BA11E3EB34C214BDA102D9435ED49FB2B6FEAC2330338C466F403E2006F2A01B4A7472
                                  Function 04C60109 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: f98c94b2aa2bf138fcbeb74322f7229bc8a67cda2848043145d711c240820462
                                  • Instruction ID: 53c5c0f2217c94a562e242e7e510d76d09ed5bcd85499c3bba4ebaf5b7c51667
                                  • Opcode Fuzzy Hash: f98c94b2aa2bf138fcbeb74322f7229bc8a67cda2848043145d711c240820462
                                  • Instruction Fuzzy Hash: EE11CAEB34C204BDA502D9576ED49FB276FEAC2730334C556F403E5506F2A4574A7472
                                  Function 04C60135 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: 7aaba766e6cf0c6c3d8bab9af99edce71c69d59e7becc5b58524ddadc2adb523
                                  • Instruction ID: 8a30b723ea2a4e0dda9eaada0f0c33cce61f8974b43335b54a83c97ed9c96229
                                  • Opcode Fuzzy Hash: 7aaba766e6cf0c6c3d8bab9af99edce71c69d59e7becc5b58524ddadc2adb523
                                  • Instruction Fuzzy Hash: 7D01D6AB30C204BDB502D9576AD49FB2B6BEAC2730338C566F403E5506E3A4164AA532
                                  Function 04C60193 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: a9cb4a83c9c0f5d4e0635e7a0c8f2e70f2d7596c29d71ee0048e25c54b94a627
                                  • Instruction ID: 825971fa5f15fbbd900c0a06ec091f843de41f6e3ee1a4d9b41c040d5c270c35
                                  • Opcode Fuzzy Hash: a9cb4a83c9c0f5d4e0635e7a0c8f2e70f2d7596c29d71ee0048e25c54b94a627
                                  • Instruction Fuzzy Hash: 4A0140A714C344AFEA029B535DD55FD7B67FF93334338809AE083B6112D6701B479612
                                  Function 04C60180 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: c32e31f0870355e122ce024ee6d2f96d5c253018ffee583983e303ba7ee6c079
                                  • Instruction ID: 43ca99aa272e9bccf5cf92e189ce2fb5297fbc026d0b4ca81eb502db4667b3fe
                                  • Opcode Fuzzy Hash: c32e31f0870355e122ce024ee6d2f96d5c253018ffee583983e303ba7ee6c079
                                  • Instruction Fuzzy Hash: 77F050AB208308EDD602DE9399D0AFA3B67EF86230378C142F547B4401F2702746A953
                                  Function 04C6021F Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: 3a5df1f8b07f7c733f3b4b969a135bef95e759d7de1e0f0e5c0b1f16a030f343
                                  • Instruction ID: dad71d4ba5dcc4c352ba505cdb77625aaefd3fbc22d45fc3f13507f0047f241c
                                  • Opcode Fuzzy Hash: 3a5df1f8b07f7c733f3b4b969a135bef95e759d7de1e0f0e5c0b1f16a030f343
                                  • Instruction Fuzzy Hash: 35F0C6975452489EC702EDB744D07FD7BD79FC1730338C156D48376405F16057439952
                                  Function 04C60189 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: fc63f88710f15e423fea381f14abd2d76aec056a08592edc808e75ed0d022670
                                  • Instruction ID: bd6586041984c9a766dca32ccf8a6d7211ebf20e2592a61916c24b0a8e4640ff
                                  • Opcode Fuzzy Hash: fc63f88710f15e423fea381f14abd2d76aec056a08592edc808e75ed0d022670
                                  • Instruction Fuzzy Hash: D1F0E96B208308EAEA02EE9799D49BA2767EF92330338C552F543B4005E2706646A953
                                  Function 04C601C2 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: vL<
                                  • API String ID: 0-3483418118
                                  • Opcode ID: 254c8ee6ffa43474a0a640775e4d1a04492a0464269871aac0317e6fe6e2ec0b
                                  • Instruction ID: 4df8124b4a2d4e0ca88d2d951d5e61733d514a2907dcdd737079e8ef92face32
                                  • Opcode Fuzzy Hash: 254c8ee6ffa43474a0a640775e4d1a04492a0464269871aac0317e6fe6e2ec0b
                                  • Instruction Fuzzy Hash: 73F05CD360834CAB9702B6F655E42BD2B8B9F83330338C196E843B6006F1611A42D593
                                  Function 04C6020A Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4505584049.0000000004C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4c60000_LisectAVT_2403002A_163.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3e07b5f21aadede5ef43eb1985b6436cfaf6cb7907d9e65d9a9be613a4c8435e
                                  • Instruction ID: ea0f66dbef2aa0b73f57efd4b67c9fd3acd978c71f36b352395e47fb70db0c19
                                  • Opcode Fuzzy Hash: 3e07b5f21aadede5ef43eb1985b6436cfaf6cb7907d9e65d9a9be613a4c8435e
                                  • Instruction Fuzzy Hash: 35D02B458190C059D602E37864DC6FD2F4F5FC3128B4891C4D191B140DD184A143C101

                                  Non-executed Functions

                                  Function 00039F50 Relevance: 18.6, Strings: 13, Instructions: 2331COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $$%s|%s$,$,$.$.$131$:$arqt$er$irvl$type must be boolean, but is $v|
                                  • API String ID: 0-4208100968
                                  • Opcode ID: c49450e55ee90d85b7c8becbb8583e32486b43ae90da9b5006a9b472a199e0de
                                  • Instruction ID: 60c121c4adc8250e6b975baea5afc368c4d1429b36b7e15de1b8682bcefe35ba
                                  • Opcode Fuzzy Hash: c49450e55ee90d85b7c8becbb8583e32486b43ae90da9b5006a9b472a199e0de
                                  • Instruction Fuzzy Hash: 1023B170D002588FDB66DF68C858BEDBBF8FF06304F148199E549AB292DB359A84CF51
                                  Function 00028D70 Relevance: 9.1, Strings: 7, Instructions: 327COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: File$bkg`$eHlW$l$lwcf$p$t
                                  • API String ID: 0-3184506882
                                  • Opcode ID: dfd9583070a348031dc7588126a4d3ae53c2708e794dc4965957c4e2bb16d6c5
                                  • Instruction ID: dc3a98511f9b5112ac668a2e51b89535bf72484f758ad52b78e648d6c0555c2b
                                  • Opcode Fuzzy Hash: dfd9583070a348031dc7588126a4d3ae53c2708e794dc4965957c4e2bb16d6c5
                                  • Instruction Fuzzy Hash: F5C1CF70D0026DAEEF24DFA4DC85BEEBBB9FF05304F104069E504AB291DBB19A45CB65
                                  Function 000973F0 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 897COMMON
                                  Download Yara Rule
                                  Strings
                                  • unordered_map/set too long, xrefs: 000978C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: unordered_map/set too long
                                  • API String ID: 0-306623848
                                  • Opcode ID: 1d777b36eb0410ee21f0131a301b6142232b75d60e541ff4f5493636f4147767
                                  • Instruction ID: efb887b5a1a39a5c2f5c9f9f481dd9a84341a77962dc3b07c018f8efc3be5d30
                                  • Opcode Fuzzy Hash: 1d777b36eb0410ee21f0131a301b6142232b75d60e541ff4f5493636f4147767
                                  • Instruction Fuzzy Hash: C2626176E046199FCF14DF68C8846AEFBF5FF48310F248269E819AB395D730A951CB90
                                  Function 001084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 0d59089133143de85db3d0dcd91ab35c300338eb5e1ee36cb7234661192a340d
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: CE024C71E042199BDF14CFA8C8806AEFBF1FF48314F25826AD599E7381DB71A941CB90
                                  Function 000950B0 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
                                  • API String ID: 0-1144537432
                                  • Opcode ID: 3d632a8fa34c5cc2c817aef7d77c5f0fc1112215f14c5fbf828e2739d4cc2844
                                  • Instruction ID: c70e2dce686a067ecaccf7f049cc9fe62509ad45643b385d64a5180fd35dbe50
                                  • Opcode Fuzzy Hash: 3d632a8fa34c5cc2c817aef7d77c5f0fc1112215f14c5fbf828e2739d4cc2844
                                  • Instruction Fuzzy Hash: 7C911472E006189FCB08CF6DDC917DDBBA9EB89310F14826EE819D7391EB759905CB80
                                  Function 000291A0 Relevance: 4.9, Strings: 3, Instructions: 1146COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /$/\/$\
                                  • API String ID: 0-1523196992
                                  • Opcode ID: 7835f2f5f22b533d0f2f922c88bcc4156f0bfd30c9fb3c424b6b4cd009d572e9
                                  • Instruction ID: 8fc32ea1e2afa308cec51f572ab46672763e2dd9d7983da0b58bf73e449fcc00
                                  • Opcode Fuzzy Hash: 7835f2f5f22b533d0f2f922c88bcc4156f0bfd30c9fb3c424b6b4cd009d572e9
                                  • Instruction Fuzzy Hash: 7292F371D002688FDF19CFA8D894BEEBBF5BF45314F1442ADD445AB282E7315A46CBA0
                                  Function 000A55B0 Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: `ic$eIcm$yNrw
                                  • API String ID: 0-2666854388
                                  • Opcode ID: c25348e252f3a17523f23c823acedce5b114ebd6b3e5deacde7f95df2974087e
                                  • Instruction ID: 5c6b1f6592eaf51e201e4e739093f91584922bb4a9ec01486ef8ff42fdf1dac0
                                  • Opcode Fuzzy Hash: c25348e252f3a17523f23c823acedce5b114ebd6b3e5deacde7f95df2974087e
                                  • Instruction Fuzzy Hash: D9815CB0C1834CAEDF04CFA4D8456EEBBB9EF56304F50809ED841AB691D779434ACBA5
                                  Function 0010BEAF Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 77aeccf53a57f23641d3bbd2b494d74b55016c6c4c27fe50736ad374174d3ced
                                  • Instruction ID: 939b9e01ccf7081555e4ca82a4bea82efde8ad3cb7a68e3ee61920ba0137ba98
                                  • Opcode Fuzzy Hash: 77aeccf53a57f23641d3bbd2b494d74b55016c6c4c27fe50736ad374174d3ced
                                  • Instruction Fuzzy Hash: 16B1AD74A0464ACFCB28CF68C880ABAB7B1EF15310F144719E9E6972D2C7B1A945CF91
                                  Function 000FF26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,000FEC78,?,?,?,?,000340EB,?,00083C2E), ref: 000FF283
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$FilePreciseSystem
                                  • String ID:
                                  • API String ID: 1802150274-0
                                  • Opcode ID: f8373770fbbeddc4dd18691d2a88d346c97d7bca29e86187cb16acaf10901583
                                  • Instruction ID: d3c60642193a093c63de0aedfc9c257ca45a7a9e60c04214f58130d8d9536380
                                  • Opcode Fuzzy Hash: f8373770fbbeddc4dd18691d2a88d346c97d7bca29e86187cb16acaf10901583
                                  • Instruction Fuzzy Hash: 59D0223358113CA38AF13BC4EC0087DBB689F09BD0340403FEA0957924DA116C01EBD4
                                  Function 000A9880 Relevance: .7, Instructions: 748COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 324fda5de72cdb788e34d7d190746c0adaacdca038c6445bc5913a83b91f1e5c
                                  • Instruction ID: dea53d8f96d02d2017452ee06d24a3b684f505b8fc47b2cff9abb4816e2f6041
                                  • Opcode Fuzzy Hash: 324fda5de72cdb788e34d7d190746c0adaacdca038c6445bc5913a83b91f1e5c
                                  • Instruction Fuzzy Hash: 7E6291B0F002049FDB54CF99C5846ADBBF1AF8A304F2881ADD815AB386D735D946CF91
                                  Function 00119824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 70b6451b1101287022d949ea5f9bf951cba9cb87a621b2f59f215e4123a75e60
                                  • Instruction ID: 039758f842f05305be446597890d1d007348298fc392b787f415941a1d82d108
                                  • Opcode Fuzzy Hash: 70b6451b1101287022d949ea5f9bf951cba9cb87a621b2f59f215e4123a75e60
                                  • Instruction Fuzzy Hash: 27B12A316106089FD719CF28C496BA57BE0FF45364F29866CE8AACF2A1C335E995CB40
                                  Function 000224F0 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fde1f246163c47add8a3364d6f64b4200d21ac24ad19db63412b45619989ae58
                                  • Instruction ID: 57acb74c9f0583a3822c541722dc33f1d0c7d45481964a6521d1839b7109ce6d
                                  • Opcode Fuzzy Hash: fde1f246163c47add8a3364d6f64b4200d21ac24ad19db63412b45619989ae58
                                  • Instruction Fuzzy Hash: 7B7143B5E04666AFDB14CFA8E8D47FEBBB4EB19304F000169D86497743C734894AC7A0
                                  Function 000A6550 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 24ce66532752490cfd0a468724e13a769b1c9c2c8f166097e0f946ec8cf0c7c9
                                  • Instruction ID: 0ca513c7bf9cca891e54a338d25068266848b70d6de2d3781651051fcd32e4f4
                                  • Opcode Fuzzy Hash: 24ce66532752490cfd0a468724e13a769b1c9c2c8f166097e0f946ec8cf0c7c9
                                  • Instruction Fuzzy Hash: DF6180716141648FD718CF5EECC05263361A78A32138A422AEBC0DB7A6D735E966D7E0
                                  Function 00034100 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df384dc6599e5ee047282731b178ead84372e094354c22c40a7728cb85e9aa1a
                                  • Instruction ID: c85d106914a5301e018f54ebd34c657cffc61528e0ca633cc430d0667ac6d409
                                  • Opcode Fuzzy Hash: df384dc6599e5ee047282731b178ead84372e094354c22c40a7728cb85e9aa1a
                                  • Instruction Fuzzy Hash: 9E51BC71E002099FCB19DF98D881AEEBBB9FB88310F14456DE419BB351D730AA44CBA0
                                  Function 0010646A Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction ID: b30cacc571e6b2c8896a61230ba7ab40531f15dbcc63e0843f11c13f4e9fb5b2
                                  • Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction Fuzzy Hash: B5518D72E00219EFDF14CF98CD41AEEBBB2FF88350F198458E955AB241D774AA50CB90
                                  Function 00102CE0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 763b3e2c8dca7185d9998ba1807563b591b4a0c2a9c9e0d90d18f6c40c299f8a
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: EE1108B724048243D6148AADD8BC6B6A395EAD632472D836AD0C14B6D8E3F2DD459700
                                  Function 0008F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0008F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0008F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0008F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0008F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0008F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0008F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0008F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0008FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0008FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: 7cc65533d950c0cd34bbe87c433f160ad0065744080068234088ee791846f120
                                  • Instruction ID: 12ce321211f8447f6149fa1bd6ff6eadf106f7650ca40f2ecbe65fc813fec00d
                                  • Opcode Fuzzy Hash: 7cc65533d950c0cd34bbe87c433f160ad0065744080068234088ee791846f120
                                  • Instruction Fuzzy Hash: 88618071D00249DBEF10EFA4D845BAEBBF4BF14314F144069E885AB792EB74E905CBA1
                                  Function 0008DE70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0008DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0008DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0008DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0008DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0008DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0008DF7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID: hm
                                  • API String ID: 2081738530-3525250708
                                  • Opcode ID: ca7711a7e8fbc4c52d2f849bc38bf480b75aaa2bf5992295dfbdffe95344060d
                                  • Instruction ID: e243d82b781a64157f7661f62a7e5908cd684a48009b0d846fbf15cbe258150f
                                  • Opcode Fuzzy Hash: ca7711a7e8fbc4c52d2f849bc38bf480b75aaa2bf5992295dfbdffe95344060d
                                  • Instruction Fuzzy Hash: F2410271900219DFCB14EF54E845AAEBBB4FB10320F14436AEA569B793DB30AD40CBD1
                                  Function 000239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00023A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00023AA4
                                  • __Getctype.LIBCPMT ref: 00023ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00023AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00023B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: c540fabe29e89354eb2240eaffc56894b4a634dfd6691ce2e83d3a573bc52e53
                                  • Instruction ID: e47ff28aca9175646f0d56e44b22a691088a7339977b30f1a6c910f682cda059
                                  • Opcode Fuzzy Hash: c540fabe29e89354eb2240eaffc56894b4a634dfd6691ce2e83d3a573bc52e53
                                  • Instruction Fuzzy Hash: E65140B1D002589BDF10DFE4E985B9EBBF8BF14314F144069E909AB382E779DA04CB51
                                  Function 00102E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00102E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00102E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00102ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00102F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00102F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 96a27c5d08a4a18fb9b179a9d56e417c50f78688f7b412b5cb4bfebfe5aa2f1c
                                  • Instruction ID: d70ab83d7f3904795edc366e872ac9f0354f2ff350e059ec5bbb29faebe5246a
                                  • Opcode Fuzzy Hash: 96a27c5d08a4a18fb9b179a9d56e417c50f78688f7b412b5cb4bfebfe5aa2f1c
                                  • Instruction Fuzzy Hash: 36410430A00209ABCF10DF68C889A9EBBB5BF55324F148055F858AB3D2D7B1EE55CB91
                                  Function 00024C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00024F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00024FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 000250C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 0002504C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 83b2a088aa5cf887b54c6a86321f062eccacc4edddd22b3d3d067cb800747faf
                                  • Instruction ID: 465f2ecad87e1cf914c7820e0cd4132a1a13f6daf4da0e26a26b8e4260d06f50
                                  • Opcode Fuzzy Hash: 83b2a088aa5cf887b54c6a86321f062eccacc4edddd22b3d3d067cb800747faf
                                  • Instruction Fuzzy Hash: 86E138719006149FDB18DF68E885BAEFBF9FF44700F10462DE45693B82D774A944CBA1
                                  Function 00027820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0002799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00027B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 35b43859bca95f19c59053b7e7f109b027ad4dd5c699de015503e54003f9b2c2
                                  • Instruction ID: 665fa572f021aa8e90b36eddeec85d18aa92e3f256b39c7afee1328650dc5af1
                                  • Opcode Fuzzy Hash: 35b43859bca95f19c59053b7e7f109b027ad4dd5c699de015503e54003f9b2c2
                                  • Instruction Fuzzy Hash: F3C17AB19002188FDB18CFA8E98479DFBF5FF49310F14866AE459EB792E7749980CB50
                                  Function 000273B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 000275BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 000275CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 76394e7db44b8b91f74c9989c411f38b6d1d9cf59f88cb8e671838acf4e8a886
                                  • Instruction ID: ef11812bae594b725c23b89678522c4542c9e83889b90886aad57fbc144ff94c
                                  • Opcode Fuzzy Hash: 76394e7db44b8b91f74c9989c411f38b6d1d9cf59f88cb8e671838acf4e8a886
                                  • Instruction Fuzzy Hash: 3361E671A046159FDB08DF68ED85BADFBB6FF44300F24462CE419A7B82D774AA40CB91
                                  Function 00023D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00023E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: a056969ac364957b564a10176372a702c34e9cf9fcef845235f4b1d29bb6f724
                                  • Instruction ID: 59f4acd7fc59ead70ae572470676cc3cda3be9050b5d3fee6c4a22715e00e8af
                                  • Opcode Fuzzy Hash: a056969ac364957b564a10176372a702c34e9cf9fcef845235f4b1d29bb6f724
                                  • Instruction Fuzzy Hash: EE4108B2500218AFCB14DF58E845BEEB7F8EF08710F14852EF955E7781E774AA158BA0
                                  Function 00023DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00023E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 5bfcc646f8349681080598651170d3b91f3974fcee62c8dad18919aba16fa9c0
                                  • Instruction ID: e9b922844ea076c70ebc84cd8048119d2c07dc87bac1a9888801da6e004e5512
                                  • Opcode Fuzzy Hash: 5bfcc646f8349681080598651170d3b91f3974fcee62c8dad18919aba16fa9c0
                                  • Instruction Fuzzy Hash: 1021EEB25003146FC714DF54E805B96B7ECAF18310F14883EFA6897681E7B4E924CB91
                                  Function 00026F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00027340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: bbc4cb21e1fcd34999e8ab6ef87ce7308c33ed9acb671ec825fbf0d597b10568
                                  • Instruction ID: cbe93095b75fde0a0e8ca53e336a2d7189429c55a3136fb73931167ceca29fae
                                  • Opcode Fuzzy Hash: bbc4cb21e1fcd34999e8ab6ef87ce7308c33ed9acb671ec825fbf0d597b10568
                                  • Instruction Fuzzy Hash: 35E16E70904218CFDB18CF68D985BADBBB1FF49300F248269E418EB792D7749A85CF91
                                  Function 00026C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00026F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00026F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 1de25360a1277695d9e931091b64b934356468cca6032ebed38c6de5bb01297d
                                  • Instruction ID: ab70f7dc87957bca8a2d7328e0298ed495019134233c4099a61e945c70dbee15
                                  • Opcode Fuzzy Hash: 1de25360a1277695d9e931091b64b934356468cca6032ebed38c6de5bb01297d
                                  • Instruction Fuzzy Hash: D591D670A002189FDB18CF68E984BAEFBF6FF45300F20856DE455AB792D775A981CB50
                                  Function 0009B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 0009B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px$invalid hash bucket count
                                  • API String ID: 909987262-389788087
                                  • Opcode ID: e4ac8d967d98b3bafb97c98fdb250f8470ed05c350d17f7ba64dafae2b59cb07
                                  • Instruction ID: 9c626dc29e5458a32a8e307ec2a022b6eb59cf5d15700aae939493b2767dc15e
                                  • Opcode Fuzzy Hash: e4ac8d967d98b3bafb97c98fdb250f8470ed05c350d17f7ba64dafae2b59cb07
                                  • Instruction Fuzzy Hash: CE7112B4A00A09DFCB14CF49D280969FBF5FF88310725C5AAD8599B356D731EA41DF90
                                  Function 0009E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0009E491
                                  Strings
                                  • type must be string, but is , xrefs: 0009E4F8
                                  • type must be boolean, but is , xrefs: 0009E582
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4496519840.0000000000021000.00000040.00000001.01000000.00000003.sdmp, Offset: 00020000, based on PE: true
                                  • Associated: 00000000.00000002.4496419036.0000000000020000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496519840.0000000000153000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4496955708.0000000000158000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000015C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000002EC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.00000000003CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000408000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.0000000000411000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4497020630.000000000041F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498082086.0000000000420000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4498439642.00000000005C9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_20000_LisectAVT_2403002A_163.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 973f6e62bb7736b0556e918a3b33da03a3717bb4e6114da2e926b484851c48e4
                                  • Instruction ID: 2bebb9e394723ab979d9c6477d9aa6d598cfe81bfcd3bafd386a8decac498aed
                                  • Opcode Fuzzy Hash: 973f6e62bb7736b0556e918a3b33da03a3717bb4e6114da2e926b484851c48e4
                                  • Instruction Fuzzy Hash: F5414DB1900288AFDB14EBA4E802BEE77A8EB14310F144679F515D7783EB35EE54C792

                                  Execution Graph

                                  Execution Coverage:2.9%
                                  Dynamic/Decrypted Code Coverage:4.4%
                                  Signature Coverage:0%
                                  Total number of Nodes:684
                                  Total number of Limit Nodes:68
                                  execution_graph 18363 2c5d2c 18364 2c5d35 __dosmaperr 18363->18364 18371 2c5d4c 18364->18371 18374 2c63f3 18364->18374 18366 2c5d79 __dosmaperr 18367 2c5db9 18366->18367 18368 2c5d81 __dosmaperr 18366->18368 18382 2c5a09 18367->18382 18378 2c6db3 18368->18378 18373 2c6db3 ___std_exception_copy RtlAllocateHeap 18373->18371 18377 2c6400 __dosmaperr std::_Facet_Register 18374->18377 18375 2c642b RtlAllocateHeap 18376 2c643e __dosmaperr 18375->18376 18375->18377 18376->18366 18377->18375 18377->18376 18379 2c6dbe __dosmaperr 18378->18379 18381 2c6de8 18378->18381 18379->18381 18386 2bd23f 18379->18386 18381->18371 18383 2c5a77 __dosmaperr 18382->18383 18400 2c59af 18383->18400 18385 2c5aa0 18385->18373 18389 2c5d2c 18386->18389 18390 2c5d35 __dosmaperr 18389->18390 18391 2c63f3 __dosmaperr RtlAllocateHeap 18390->18391 18397 2bd244 18390->18397 18392 2c5d79 __dosmaperr 18391->18392 18393 2c5db9 18392->18393 18394 2c5d81 __dosmaperr 18392->18394 18396 2c5a09 __dosmaperr RtlAllocateHeap 18393->18396 18395 2c6db3 ___std_exception_copy RtlAllocateHeap 18394->18395 18395->18397 18398 2c5dc4 18396->18398 18397->18381 18399 2c6db3 ___std_exception_copy RtlAllocateHeap 18398->18399 18399->18397 18401 2c59bb __fread_nolock std::_Lockit::_Lockit 18400->18401 18404 2c5b90 18401->18404 18403 2c59dd __dosmaperr 18403->18385 18405 2c5b9f __Getctype 18404->18405 18407 2c5bc6 __Getctype 18404->18407 18405->18407 18408 2cf2a7 18405->18408 18407->18403 18410 2cf327 18408->18410 18415 2cf2bd 18408->18415 18409 2cf375 18476 2cf418 18409->18476 18410->18409 18412 2c6db3 ___std_exception_copy RtlAllocateHeap 18410->18412 18414 2cf349 18412->18414 18413 2cf2f0 18416 2cf312 18413->18416 18421 2c6db3 ___std_exception_copy RtlAllocateHeap 18413->18421 18417 2c6db3 ___std_exception_copy RtlAllocateHeap 18414->18417 18415->18410 18415->18413 18419 2c6db3 ___std_exception_copy RtlAllocateHeap 18415->18419 18418 2c6db3 ___std_exception_copy RtlAllocateHeap 18416->18418 18420 2cf35c 18417->18420 18423 2cf31c 18418->18423 18425 2cf2e5 18419->18425 18422 2c6db3 ___std_exception_copy RtlAllocateHeap 18420->18422 18427 2cf307 18421->18427 18428 2cf36a 18422->18428 18429 2c6db3 ___std_exception_copy RtlAllocateHeap 18423->18429 18424 2cf3e3 18430 2c6db3 ___std_exception_copy RtlAllocateHeap 18424->18430 18436 2ce5ab 18425->18436 18426 2cf383 18426->18424 18435 2c6db3 RtlAllocateHeap ___std_exception_copy 18426->18435 18464 2cea0a 18427->18464 18433 2c6db3 ___std_exception_copy RtlAllocateHeap 18428->18433 18429->18410 18434 2cf3e9 18430->18434 18433->18409 18434->18407 18435->18426 18437 2ce5bc 18436->18437 18463 2ce6a5 18436->18463 18438 2ce5cd 18437->18438 18439 2c6db3 ___std_exception_copy RtlAllocateHeap 18437->18439 18440 2c6db3 ___std_exception_copy RtlAllocateHeap 18438->18440 18442 2ce5df 18438->18442 18439->18438 18440->18442 18441 2ce603 18446 2ce615 18441->18446 18447 2c6db3 ___std_exception_copy RtlAllocateHeap 18441->18447 18443 2c6db3 ___std_exception_copy RtlAllocateHeap 18442->18443 18444 2ce5f1 18442->18444 18443->18444 18444->18441 18445 2c6db3 ___std_exception_copy RtlAllocateHeap 18444->18445 18445->18441 18448 2ce627 18446->18448 18449 2c6db3 ___std_exception_copy RtlAllocateHeap 18446->18449 18447->18446 18450 2ce639 18448->18450 18452 2c6db3 ___std_exception_copy RtlAllocateHeap 18448->18452 18449->18448 18451 2ce64b 18450->18451 18453 2c6db3 ___std_exception_copy RtlAllocateHeap 18450->18453 18454 2ce65d 18451->18454 18455 2c6db3 ___std_exception_copy RtlAllocateHeap 18451->18455 18452->18450 18453->18451 18456 2ce66f 18454->18456 18457 2c6db3 ___std_exception_copy RtlAllocateHeap 18454->18457 18455->18454 18458 2ce681 18456->18458 18460 2c6db3 ___std_exception_copy RtlAllocateHeap 18456->18460 18457->18456 18459 2ce693 18458->18459 18461 2c6db3 ___std_exception_copy RtlAllocateHeap 18458->18461 18462 2c6db3 ___std_exception_copy RtlAllocateHeap 18459->18462 18459->18463 18460->18458 18461->18459 18462->18463 18463->18413 18465 2cea17 18464->18465 18466 2cea6f 18464->18466 18467 2cea27 18465->18467 18468 2c6db3 ___std_exception_copy RtlAllocateHeap 18465->18468 18466->18416 18469 2cea39 18467->18469 18470 2c6db3 ___std_exception_copy RtlAllocateHeap 18467->18470 18468->18467 18471 2cea4b 18469->18471 18472 2c6db3 ___std_exception_copy RtlAllocateHeap 18469->18472 18470->18469 18473 2cea5d 18471->18473 18474 2c6db3 ___std_exception_copy RtlAllocateHeap 18471->18474 18472->18471 18473->18466 18475 2c6db3 ___std_exception_copy RtlAllocateHeap 18473->18475 18474->18473 18475->18466 18477 2cf425 18476->18477 18481 2cf444 18476->18481 18477->18481 18482 2cef31 18477->18482 18480 2c6db3 ___std_exception_copy RtlAllocateHeap 18480->18481 18481->18426 18483 2cf00f 18482->18483 18484 2cef42 18482->18484 18483->18480 18518 2cec90 18484->18518 18487 2cec90 __Getctype RtlAllocateHeap 18488 2cef55 18487->18488 18489 2cec90 __Getctype RtlAllocateHeap 18488->18489 18490 2cef60 18489->18490 18491 2cec90 __Getctype RtlAllocateHeap 18490->18491 18492 2cef6b 18491->18492 18493 2cec90 __Getctype RtlAllocateHeap 18492->18493 18494 2cef79 18493->18494 18495 2c6db3 ___std_exception_copy RtlAllocateHeap 18494->18495 18496 2cef84 18495->18496 18497 2c6db3 ___std_exception_copy RtlAllocateHeap 18496->18497 18498 2cef8f 18497->18498 18499 2c6db3 ___std_exception_copy RtlAllocateHeap 18498->18499 18500 2cef9a 18499->18500 18501 2cec90 __Getctype RtlAllocateHeap 18500->18501 18502 2cefa8 18501->18502 18503 2cec90 __Getctype RtlAllocateHeap 18502->18503 18504 2cefb6 18503->18504 18505 2cec90 __Getctype RtlAllocateHeap 18504->18505 18506 2cefc7 18505->18506 18507 2cec90 __Getctype RtlAllocateHeap 18506->18507 18508 2cefd5 18507->18508 18509 2cec90 __Getctype RtlAllocateHeap 18508->18509 18510 2cefe3 18509->18510 18511 2c6db3 ___std_exception_copy RtlAllocateHeap 18510->18511 18512 2cefee 18511->18512 18513 2c6db3 ___std_exception_copy RtlAllocateHeap 18512->18513 18514 2ceff9 18513->18514 18515 2c6db3 ___std_exception_copy RtlAllocateHeap 18514->18515 18516 2cf004 18515->18516 18517 2c6db3 ___std_exception_copy RtlAllocateHeap 18516->18517 18517->18483 18519 2ceca2 18518->18519 18520 2cecb1 18519->18520 18521 2c6db3 ___std_exception_copy RtlAllocateHeap 18519->18521 18520->18487 18521->18519 20085 55505d4 20088 55505dd 20085->20088 20089 55505f3 20088->20089 20096 5550672 20089->20096 20101 5550688 20096->20101 20098 5550678 GetCurrentHwProfileW 20100 5550885 20098->20100 20102 555069b GetCurrentHwProfileW 20101->20102 20104 5550885 20102->20104 18533 1da210 18566 2af290 18533->18566 18535 1da248 18571 1d2ae0 18535->18571 18537 1da28b 18587 2b5362 18537->18587 18541 1da377 18544 1da34e 18544->18541 18616 2b47b0 18544->18616 18547 2b9136 4 API calls 18548 1da2fc 18547->18548 18553 1da318 18548->18553 18602 23cf60 18548->18602 18607 2bdbdf 18553->18607 18568 1d21d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 18566->18568 18567 2af2af 18567->18535 18567->18567 18568->18567 18619 2b0651 18568->18619 18572 1d2ba5 18571->18572 18578 1d2af6 18571->18578 18729 1d2270 18572->18729 18574 1d2b02 std::locale::_Locimp::_Locimp 18574->18537 18575 1d2baa 18739 1d21d0 18575->18739 18576 1d2b2a 18579 2af290 std::_Facet_Register RtlAllocateHeap 18576->18579 18578->18574 18578->18576 18581 1d2b6e 18578->18581 18582 1d2b65 18578->18582 18580 1d2b3d 18579->18580 18583 2b47b0 RtlAllocateHeap 18580->18583 18586 1d2b46 std::locale::_Locimp::_Locimp 18580->18586 18585 2af290 std::_Facet_Register RtlAllocateHeap 18581->18585 18581->18586 18582->18575 18582->18576 18584 1d2bb4 18583->18584 18585->18586 18586->18537 18752 2b52a0 18587->18752 18589 1da2d7 18589->18544 18590 2b9136 18589->18590 18591 2b9149 ___std_exception_copy 18590->18591 18776 2b8e8d 18591->18776 18593 2b915e 18594 2b44dc ___std_exception_copy RtlAllocateHeap 18593->18594 18595 1da2ea 18594->18595 18596 2b4eeb 18595->18596 18597 2b4efe ___std_exception_copy 18596->18597 18909 2b4801 18597->18909 18599 2b4f0a 18600 2b44dc ___std_exception_copy RtlAllocateHeap 18599->18600 18601 1da2f0 18600->18601 18601->18547 18603 23cfa7 18602->18603 18606 23cf78 __fread_nolock 18602->18606 18957 240560 18603->18957 18605 23cfba 18605->18553 18606->18553 18972 2bdbfc 18607->18972 18609 1da348 18610 2b8be8 18609->18610 18611 2b8bfb ___std_exception_copy 18610->18611 19096 2b8ac3 18611->19096 18613 2b8c07 18614 2b44dc ___std_exception_copy RtlAllocateHeap 18613->18614 18615 2b8c13 18614->18615 18615->18544 18617 2b46ec ___std_exception_copy RtlAllocateHeap 18616->18617 18618 2b47bf __Getctype 18617->18618 18620 1d2213 18619->18620 18622 2b065e ___std_exception_copy 18619->18622 18620->18535 18621 2b068b 18634 2bd7d6 18621->18634 18622->18620 18622->18621 18625 2c56b8 18622->18625 18626 2c56c6 18625->18626 18627 2c56d4 18625->18627 18626->18627 18629 2c56ec 18626->18629 18628 2bd23f __dosmaperr RtlAllocateHeap 18627->18628 18633 2c56dc 18628->18633 18631 2c56e6 18629->18631 18632 2bd23f __dosmaperr RtlAllocateHeap 18629->18632 18631->18621 18632->18633 18637 2b47a0 18633->18637 18635 2c6db3 ___std_exception_copy RtlAllocateHeap 18634->18635 18636 2bd7ee 18635->18636 18636->18620 18640 2b46ec 18637->18640 18641 2b46fe ___std_exception_copy 18640->18641 18646 2b4723 18641->18646 18643 2b4716 18653 2b44dc 18643->18653 18647 2b4733 18646->18647 18650 2b473a ___std_exception_copy __Getctype 18646->18650 18659 2b4541 18647->18659 18649 2b4748 18649->18643 18650->18649 18651 2b46ec ___std_exception_copy RtlAllocateHeap 18650->18651 18652 2b47ac 18651->18652 18652->18643 18654 2b44e8 18653->18654 18655 2b44ff 18654->18655 18674 2b4587 18654->18674 18657 2b4512 18655->18657 18658 2b4587 ___std_exception_copy RtlAllocateHeap 18655->18658 18657->18631 18658->18657 18660 2b4550 18659->18660 18663 2c5ddd 18660->18663 18664 2c5df0 __dosmaperr 18663->18664 18665 2b4572 18664->18665 18666 2c63f3 __dosmaperr RtlAllocateHeap 18664->18666 18665->18650 18667 2c5e20 __dosmaperr 18666->18667 18668 2c5e5c 18667->18668 18669 2c5e28 __dosmaperr 18667->18669 18671 2c5a09 __dosmaperr RtlAllocateHeap 18668->18671 18670 2c6db3 ___std_exception_copy RtlAllocateHeap 18669->18670 18670->18665 18672 2c5e67 18671->18672 18673 2c6db3 ___std_exception_copy RtlAllocateHeap 18672->18673 18673->18665 18675 2b459a 18674->18675 18676 2b4591 18674->18676 18675->18655 18677 2b4541 ___std_exception_copy RtlAllocateHeap 18676->18677 18678 2b4596 18677->18678 18678->18675 18681 2c0259 18678->18681 18682 2c025e std::locale::_Setgloballocale 18681->18682 18686 2c0269 std::locale::_Setgloballocale 18682->18686 18687 2cc7c6 18682->18687 18708 2bf224 18686->18708 18688 2cc7d2 __fread_nolock 18687->18688 18689 2cc834 std::_Lockit::_Lockit std::locale::_Setgloballocale 18688->18689 18690 2c5d2c __dosmaperr RtlAllocateHeap 18688->18690 18691 2cc822 18688->18691 18693 2cc803 std::locale::_Setgloballocale 18688->18693 18696 2cc9a4 std::_Lockit::~_Lockit 18689->18696 18697 2cc8a7 18689->18697 18698 2cc8d5 std::locale::_Setgloballocale 18689->18698 18690->18693 18692 2bd23f __dosmaperr RtlAllocateHeap 18691->18692 18694 2cc827 18692->18694 18693->18689 18693->18691 18699 2cc80c 18693->18699 18695 2b47a0 ___std_exception_copy RtlAllocateHeap 18694->18695 18695->18699 18700 2bf224 std::locale::_Setgloballocale RtlAllocateHeap 18696->18700 18697->18698 18711 2c5bdb 18697->18711 18698->18699 18703 2c5bdb __Getctype RtlAllocateHeap 18698->18703 18706 2cc92a 18698->18706 18699->18686 18702 2cc9b7 18700->18702 18703->18706 18705 2c5bdb __Getctype RtlAllocateHeap 18705->18698 18706->18699 18707 2c5bdb __Getctype RtlAllocateHeap 18706->18707 18707->18699 18725 2bf094 18708->18725 18710 2bf235 18712 2c5be4 __dosmaperr 18711->18712 18713 2c63f3 __dosmaperr RtlAllocateHeap 18712->18713 18715 2c5bfb 18712->18715 18716 2c5c28 __dosmaperr 18713->18716 18714 2c5c8b 18714->18705 18715->18714 18717 2c0259 __Getctype RtlAllocateHeap 18715->18717 18718 2c5c68 18716->18718 18720 2c5c30 __dosmaperr 18716->18720 18719 2c5c95 18717->18719 18722 2c5a09 __dosmaperr RtlAllocateHeap 18718->18722 18721 2c6db3 ___std_exception_copy RtlAllocateHeap 18720->18721 18721->18715 18723 2c5c73 18722->18723 18724 2c6db3 ___std_exception_copy RtlAllocateHeap 18723->18724 18724->18715 18727 2bf0c1 std::locale::_Setgloballocale 18725->18727 18726 2bef23 std::locale::_Setgloballocale RtlAllocateHeap 18728 2bf10a std::locale::_Setgloballocale 18726->18728 18727->18726 18728->18710 18743 2ad6e9 18729->18743 18740 1d21de Concurrency::cancel_current_task 18739->18740 18741 2b0651 ___std_exception_copy RtlAllocateHeap 18740->18741 18742 1d2213 18741->18742 18742->18580 18746 2ad4af 18743->18746 18745 2ad6fa Concurrency::cancel_current_task 18749 1d3010 18746->18749 18750 2b0651 ___std_exception_copy RtlAllocateHeap 18749->18750 18751 1d303d 18750->18751 18751->18745 18755 2b52ac __fread_nolock 18752->18755 18753 2b52b3 18754 2bd23f __dosmaperr RtlAllocateHeap 18753->18754 18756 2b52b8 18754->18756 18755->18753 18757 2b52d3 18755->18757 18760 2b47a0 ___std_exception_copy RtlAllocateHeap 18756->18760 18758 2b52d8 18757->18758 18759 2b52e5 18757->18759 18761 2bd23f __dosmaperr RtlAllocateHeap 18758->18761 18766 2c6688 18759->18766 18765 2b52c3 18760->18765 18761->18765 18763 2b52ee 18764 2bd23f __dosmaperr RtlAllocateHeap 18763->18764 18763->18765 18764->18765 18765->18589 18767 2c6694 __fread_nolock std::_Lockit::_Lockit 18766->18767 18770 2c672c 18767->18770 18769 2c66af 18769->18763 18774 2c674f __fread_nolock 18770->18774 18771 2c63f3 __dosmaperr RtlAllocateHeap 18772 2c67b0 18771->18772 18773 2c6db3 ___std_exception_copy RtlAllocateHeap 18772->18773 18775 2c6795 __fread_nolock 18773->18775 18774->18771 18774->18775 18775->18769 18778 2b8e99 __fread_nolock 18776->18778 18777 2b8e9f 18779 2b4723 ___std_exception_copy RtlAllocateHeap 18777->18779 18778->18777 18780 2b8ee2 __fread_nolock 18778->18780 18782 2b8eba 18779->18782 18783 2b9010 18780->18783 18782->18593 18784 2b9023 18783->18784 18785 2b9036 18783->18785 18784->18782 18792 2b8f37 18785->18792 18787 2b90e7 18787->18782 18788 2b9059 18788->18787 18796 2b55d3 18788->18796 18793 2b8fa0 18792->18793 18794 2b8f48 18792->18794 18793->18788 18794->18793 18805 2be13d 18794->18805 18797 2b55ec 18796->18797 18798 2b5613 18796->18798 18797->18798 18832 2c5f82 18797->18832 18802 2be17d 18798->18802 18800 2b5608 18839 2c538b 18800->18839 18803 2be05c __fread_nolock 2 API calls 18802->18803 18804 2be196 18803->18804 18804->18787 18806 2be151 ___std_exception_copy 18805->18806 18811 2be05c 18806->18811 18808 2be166 18809 2b44dc ___std_exception_copy RtlAllocateHeap 18808->18809 18810 2be175 18809->18810 18810->18793 18816 2ca6de 18811->18816 18813 2be06e 18814 2be08a SetFilePointerEx 18813->18814 18815 2be076 __fread_nolock 18813->18815 18814->18815 18815->18808 18817 2ca6eb 18816->18817 18819 2ca700 18816->18819 18829 2bd22c 18817->18829 18821 2bd22c __dosmaperr RtlAllocateHeap 18819->18821 18823 2ca725 18819->18823 18824 2ca730 18821->18824 18822 2bd23f __dosmaperr RtlAllocateHeap 18825 2ca6f8 18822->18825 18823->18813 18826 2bd23f __dosmaperr RtlAllocateHeap 18824->18826 18825->18813 18827 2ca738 18826->18827 18828 2b47a0 ___std_exception_copy RtlAllocateHeap 18827->18828 18828->18825 18830 2c5d2c __dosmaperr RtlAllocateHeap 18829->18830 18831 2bd231 18830->18831 18831->18822 18833 2c5f8e 18832->18833 18834 2c5fa3 18832->18834 18835 2bd23f __dosmaperr RtlAllocateHeap 18833->18835 18834->18800 18836 2c5f93 18835->18836 18837 2b47a0 ___std_exception_copy RtlAllocateHeap 18836->18837 18838 2c5f9e 18837->18838 18838->18800 18841 2c5397 __fread_nolock 18839->18841 18840 2c539f 18840->18798 18841->18840 18842 2c53d8 18841->18842 18844 2c541e 18841->18844 18843 2b4723 ___std_exception_copy RtlAllocateHeap 18842->18843 18843->18840 18844->18840 18846 2c549c 18844->18846 18847 2c54c4 18846->18847 18859 2c54e7 __fread_nolock 18846->18859 18848 2c54c8 18847->18848 18850 2c5523 18847->18850 18849 2b4723 ___std_exception_copy RtlAllocateHeap 18848->18849 18849->18859 18851 2c5541 18850->18851 18853 2be17d 2 API calls 18850->18853 18860 2c4fe1 18851->18860 18853->18851 18855 2c5559 18855->18859 18865 2c4bb2 18855->18865 18856 2c55a0 18857 2c5609 WriteFile 18856->18857 18856->18859 18857->18859 18859->18840 18871 2d0d44 18860->18871 18862 2c5021 18862->18855 18862->18856 18863 2c4ff3 18863->18862 18880 2b9d10 18863->18880 18866 2c4c1a 18865->18866 18867 2b9d10 std::_Locinfo::_Locinfo_dtor 2 API calls 18866->18867 18870 2c4c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 18866->18870 18867->18870 18868 2c84be RtlAllocateHeap RtlAllocateHeap 18868->18870 18869 2c4ee1 _ValidateLocalCookies 18869->18859 18869->18869 18870->18868 18870->18869 18872 2d0d5e 18871->18872 18873 2d0d51 18871->18873 18876 2d0d6a 18872->18876 18877 2bd23f __dosmaperr RtlAllocateHeap 18872->18877 18874 2bd23f __dosmaperr RtlAllocateHeap 18873->18874 18875 2d0d56 18874->18875 18875->18863 18876->18863 18878 2d0d8b 18877->18878 18879 2b47a0 ___std_exception_copy RtlAllocateHeap 18878->18879 18879->18875 18881 2b4587 ___std_exception_copy RtlAllocateHeap 18880->18881 18882 2b9d20 18881->18882 18887 2c5ef3 18882->18887 18888 2c5f0a 18887->18888 18890 2b9d3d 18887->18890 18888->18890 18895 2cf4f3 18888->18895 18891 2c5f51 18890->18891 18892 2b9d4a 18891->18892 18893 2c5f68 18891->18893 18892->18862 18893->18892 18904 2cd81e 18893->18904 18896 2cf4ff __fread_nolock 18895->18896 18897 2c5bdb __Getctype RtlAllocateHeap 18896->18897 18899 2cf508 std::_Lockit::_Lockit 18897->18899 18898 2cf54e 18898->18890 18899->18898 18900 2cf574 __Getctype RtlAllocateHeap 18899->18900 18901 2cf537 __Getctype 18900->18901 18901->18898 18902 2c0259 __Getctype RtlAllocateHeap 18901->18902 18903 2cf573 18902->18903 18905 2c5bdb __Getctype RtlAllocateHeap 18904->18905 18906 2cd823 18905->18906 18907 2cd736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 18906->18907 18908 2cd82e 18907->18908 18908->18892 18910 2b480d __fread_nolock 18909->18910 18911 2b4835 __fread_nolock 18910->18911 18912 2b4814 18910->18912 18916 2b4910 18911->18916 18913 2b4723 ___std_exception_copy RtlAllocateHeap 18912->18913 18914 2b482d 18913->18914 18914->18599 18919 2b4942 18916->18919 18918 2b4922 18918->18914 18920 2b4979 18919->18920 18921 2b4951 18919->18921 18923 2c5f82 __fread_nolock RtlAllocateHeap 18920->18923 18922 2b4723 ___std_exception_copy RtlAllocateHeap 18921->18922 18930 2b496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18922->18930 18924 2b4982 18923->18924 18932 2be11f 18924->18932 18927 2b4a2c 18935 2b4cae 18927->18935 18929 2b4a43 18929->18930 18943 2b4ae3 18929->18943 18930->18918 18950 2bdf37 18932->18950 18934 2b49a0 18934->18927 18934->18929 18934->18930 18936 2b4cbd 18935->18936 18937 2c5f82 __fread_nolock RtlAllocateHeap 18936->18937 18938 2b4cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18937->18938 18939 2b4ce5 _ValidateLocalCookies 18938->18939 18940 2be11f 2 API calls 18938->18940 18939->18930 18941 2b4d39 18940->18941 18941->18939 18942 2be11f 2 API calls 18941->18942 18942->18939 18944 2c5f82 __fread_nolock RtlAllocateHeap 18943->18944 18945 2b4af6 18944->18945 18946 2be11f 2 API calls 18945->18946 18947 2b4b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18945->18947 18948 2b4b9d 18946->18948 18947->18930 18948->18947 18949 2be11f 2 API calls 18948->18949 18949->18947 18951 2bdf43 __fread_nolock 18950->18951 18952 2bdf86 18951->18952 18954 2bdfcc 18951->18954 18956 2bdf4b 18951->18956 18953 2b4723 ___std_exception_copy RtlAllocateHeap 18952->18953 18953->18956 18955 2be05c __fread_nolock 2 API calls 18954->18955 18954->18956 18955->18956 18956->18934 18958 2406a9 18957->18958 18962 240585 18957->18962 18959 1d2270 RtlAllocateHeap 18958->18959 18960 2406ae 18959->18960 18961 1d21d0 Concurrency::cancel_current_task RtlAllocateHeap 18960->18961 18966 2405aa __fread_nolock std::locale::_Locimp::_Locimp 18961->18966 18964 2405f0 18962->18964 18965 2405e3 18962->18965 18968 24059a 18962->18968 18963 2af290 std::_Facet_Register RtlAllocateHeap 18963->18966 18964->18966 18969 2af290 std::_Facet_Register RtlAllocateHeap 18964->18969 18965->18960 18965->18968 18967 2b47b0 RtlAllocateHeap 18966->18967 18971 240667 __fread_nolock std::locale::_Locimp::_Locimp 18966->18971 18970 2406b8 18967->18970 18968->18963 18969->18966 18971->18605 18973 2bdc08 __fread_nolock 18972->18973 18974 2bdc1b __fread_nolock 18973->18974 18975 2bdc52 __fread_nolock 18973->18975 18980 2bdc40 __fread_nolock 18973->18980 18976 2bd23f __dosmaperr RtlAllocateHeap 18974->18976 18981 2bda06 18975->18981 18977 2bdc35 18976->18977 18979 2b47a0 ___std_exception_copy RtlAllocateHeap 18977->18979 18979->18980 18980->18609 18983 2bda18 __fread_nolock 18981->18983 18986 2bda35 18981->18986 18982 2bda25 18984 2bd23f __dosmaperr RtlAllocateHeap 18982->18984 18983->18982 18983->18986 18992 2bda76 __fread_nolock 18983->18992 18991 2bda2a 18984->18991 18985 2b47a0 ___std_exception_copy RtlAllocateHeap 18985->18986 18986->18980 18987 2bdba1 __fread_nolock 18989 2bd23f __dosmaperr RtlAllocateHeap 18987->18989 18989->18991 18990 2c5f82 __fread_nolock RtlAllocateHeap 18990->18992 18991->18985 18992->18986 18992->18987 18992->18990 18994 2c4623 18992->18994 19053 2b8a2b 18992->19053 18995 2c464d 18994->18995 18996 2c4635 18994->18996 18997 2c498f 18995->18997 19001 2c4690 18995->19001 18998 2bd22c __dosmaperr RtlAllocateHeap 18996->18998 18999 2bd22c __dosmaperr RtlAllocateHeap 18997->18999 19000 2c463a 18998->19000 19002 2c4994 18999->19002 19003 2bd23f __dosmaperr RtlAllocateHeap 19000->19003 19004 2c469b 19001->19004 19008 2c4642 19001->19008 19012 2c46cb 19001->19012 19005 2bd23f __dosmaperr RtlAllocateHeap 19002->19005 19003->19008 19006 2bd22c __dosmaperr RtlAllocateHeap 19004->19006 19007 2c46a8 19005->19007 19009 2c46a0 19006->19009 19011 2b47a0 ___std_exception_copy RtlAllocateHeap 19007->19011 19008->18992 19010 2bd23f __dosmaperr RtlAllocateHeap 19009->19010 19010->19007 19011->19008 19013 2c46e4 19012->19013 19014 2c471f 19012->19014 19015 2c46f1 19012->19015 19013->19015 19021 2c470d 19013->19021 19067 2c6e2d 19014->19067 19016 2bd22c __dosmaperr RtlAllocateHeap 19015->19016 19017 2c46f6 19016->19017 19019 2bd23f __dosmaperr RtlAllocateHeap 19017->19019 19023 2c46fd 19019->19023 19020 2d0d44 __fread_nolock RtlAllocateHeap 19038 2c486b 19020->19038 19021->19020 19025 2b47a0 ___std_exception_copy RtlAllocateHeap 19023->19025 19024 2c6db3 ___std_exception_copy RtlAllocateHeap 19026 2c4739 19024->19026 19047 2c4708 __fread_nolock 19025->19047 19028 2c6db3 ___std_exception_copy RtlAllocateHeap 19026->19028 19027 2c48e3 ReadFile 19029 2c48fb 19027->19029 19030 2c4957 19027->19030 19031 2c4740 19028->19031 19029->19030 19034 2c48d4 19029->19034 19041 2c4964 19030->19041 19052 2c48b5 19030->19052 19032 2c474a 19031->19032 19033 2c4765 19031->19033 19035 2bd23f __dosmaperr RtlAllocateHeap 19032->19035 19037 2be13d __fread_nolock 2 API calls 19033->19037 19044 2c4937 19034->19044 19045 2c4920 19034->19045 19034->19047 19039 2c474f 19035->19039 19036 2c6db3 ___std_exception_copy RtlAllocateHeap 19036->19008 19037->19021 19038->19027 19040 2c489b 19038->19040 19042 2bd22c __dosmaperr RtlAllocateHeap 19039->19042 19040->19034 19040->19052 19043 2bd23f __dosmaperr RtlAllocateHeap 19041->19043 19042->19047 19048 2c4969 19043->19048 19044->19047 19088 2c417b 19044->19088 19078 2c4335 19045->19078 19047->19036 19051 2bd22c __dosmaperr RtlAllocateHeap 19048->19051 19051->19047 19052->19047 19073 2bd1e5 19052->19073 19054 2b8a3c 19053->19054 19058 2b8a38 std::locale::_Locimp::_Locimp 19053->19058 19055 2b8a43 19054->19055 19059 2b8a56 __fread_nolock 19054->19059 19056 2bd23f __dosmaperr RtlAllocateHeap 19055->19056 19057 2b8a48 19056->19057 19060 2b47a0 ___std_exception_copy RtlAllocateHeap 19057->19060 19058->18992 19059->19058 19061 2b8a8d 19059->19061 19062 2b8a84 19059->19062 19060->19058 19061->19058 19065 2bd23f __dosmaperr RtlAllocateHeap 19061->19065 19063 2bd23f __dosmaperr RtlAllocateHeap 19062->19063 19064 2b8a89 19063->19064 19066 2b47a0 ___std_exception_copy RtlAllocateHeap 19064->19066 19065->19064 19066->19058 19068 2c6e6b 19067->19068 19072 2c6e3b __dosmaperr std::_Facet_Register 19067->19072 19069 2bd23f __dosmaperr RtlAllocateHeap 19068->19069 19071 2c4730 19069->19071 19070 2c6e56 RtlAllocateHeap 19070->19071 19070->19072 19071->19024 19072->19068 19072->19070 19074 2bd22c __dosmaperr RtlAllocateHeap 19073->19074 19075 2bd1f0 __dosmaperr 19074->19075 19076 2bd23f __dosmaperr RtlAllocateHeap 19075->19076 19077 2bd203 19076->19077 19077->19047 19092 2c402e 19078->19092 19081 2c43d7 19085 2c4391 __fread_nolock 19081->19085 19086 2be13d __fread_nolock 2 API calls 19081->19086 19082 2c43c7 19083 2bd23f __dosmaperr RtlAllocateHeap 19082->19083 19084 2c437d 19083->19084 19084->19047 19085->19084 19087 2bd1e5 __dosmaperr RtlAllocateHeap 19085->19087 19086->19085 19087->19084 19089 2c41b5 19088->19089 19090 2c4246 19089->19090 19091 2be13d __fread_nolock 2 API calls 19089->19091 19090->19047 19091->19090 19093 2c4062 19092->19093 19094 2c40ce 19093->19094 19095 2be13d __fread_nolock 2 API calls 19093->19095 19094->19081 19094->19082 19094->19084 19094->19085 19095->19094 19097 2b8acf __fread_nolock 19096->19097 19098 2b8ad9 19097->19098 19101 2b8afc __fread_nolock 19097->19101 19099 2b4723 ___std_exception_copy RtlAllocateHeap 19098->19099 19100 2b8af4 19099->19100 19100->18613 19101->19100 19103 2b8b5a 19101->19103 19104 2b8b8a 19103->19104 19105 2b8b67 19103->19105 19107 2b55d3 4 API calls 19104->19107 19115 2b8b82 19104->19115 19106 2b4723 ___std_exception_copy RtlAllocateHeap 19105->19106 19106->19115 19108 2b8ba2 19107->19108 19117 2c6ded 19108->19117 19111 2c5f82 __fread_nolock RtlAllocateHeap 19112 2b8bb6 19111->19112 19121 2c4a3f 19112->19121 19115->19100 19116 2c6db3 ___std_exception_copy RtlAllocateHeap 19116->19115 19118 2c6e04 19117->19118 19120 2b8baa 19117->19120 19119 2c6db3 ___std_exception_copy RtlAllocateHeap 19118->19119 19118->19120 19119->19120 19120->19111 19122 2c4a68 19121->19122 19125 2b8bbd 19121->19125 19123 2c4ab7 19122->19123 19126 2c4a8f 19122->19126 19124 2b4723 ___std_exception_copy RtlAllocateHeap 19123->19124 19124->19125 19125->19115 19125->19116 19128 2c49ae 19126->19128 19129 2c49ba __fread_nolock 19128->19129 19131 2c49f9 19129->19131 19132 2c4b12 19129->19132 19131->19125 19133 2ca6de __fread_nolock RtlAllocateHeap 19132->19133 19135 2c4b22 19133->19135 19137 2ca6de __fread_nolock RtlAllocateHeap 19135->19137 19142 2c4b28 19135->19142 19143 2c4b5a 19135->19143 19136 2c4b80 __fread_nolock 19136->19131 19139 2c4b51 19137->19139 19138 2ca6de __fread_nolock RtlAllocateHeap 19140 2c4b66 FindCloseChangeNotification 19138->19140 19141 2ca6de __fread_nolock RtlAllocateHeap 19139->19141 19140->19142 19141->19143 19144 2ca64d 19142->19144 19143->19138 19143->19142 19145 2ca65c 19144->19145 19146 2bd23f __dosmaperr RtlAllocateHeap 19145->19146 19149 2ca686 19145->19149 19147 2ca6c8 19146->19147 19148 2bd22c __dosmaperr RtlAllocateHeap 19147->19148 19148->19149 19149->19136 20173 55505fe 20174 5550613 20173->20174 20175 5550672 2 API calls 20174->20175 20176 5550660 20175->20176 20177 5550688 GetCurrentHwProfileW 20176->20177 20178 5550678 GetCurrentHwProfileW 20176->20178 20177->20178 20180 5550885 20178->20180 20206 55505e2 20207 5550660 20206->20207 20209 55505e9 20206->20209 20208 5550688 GetCurrentHwProfileW 20207->20208 20211 5550678 GetCurrentHwProfileW 20207->20211 20208->20211 20210 5550672 2 API calls 20209->20210 20210->20207 20213 5550885 20211->20213 19150 1ee0a0 WSAStartup 19151 1ee0d8 19150->19151 19155 1ee1a7 19150->19155 19152 1ee175 socket 19151->19152 19151->19155 19153 1ee18b connect 19152->19153 19152->19155 19154 1ee19d closesocket 19153->19154 19153->19155 19154->19152 19154->19155 18529 555089c 18530 555083c 18529->18530 18531 5550867 GetCurrentHwProfileW 18530->18531 18532 5550885 18530->18532 18531->18532 18522 233a40 18523 233a55 18522->18523 18524 233b28 GetPEB 18523->18524 18525 233a73 GetPEB 18523->18525 18526 233b9d Sleep 18523->18526 18527 233ae8 Sleep 18523->18527 18528 233bc7 18523->18528 18524->18523 18525->18523 18526->18523 18527->18523 21316 55506a6 21317 55506c9 GetCurrentHwProfileW 21316->21317 21319 5550885 21317->21319

                                  Executed Functions

                                  Function 00233A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 176 233a40-233a52 177 233a55-233a61 176->177 179 233a67-233a6d 177->179 180 233b28-233b31 GetPEB 177->180 179->180 182 233a73-233a7f GetPEB 179->182 181 233b34-233b48 180->181 184 233b4a-233b4f 181->184 185 233b99-233b9b 181->185 183 233a80-233a94 182->183 187 233a96-233a9b 183->187 188 233ae4-233ae6 183->188 184->185 186 233b51-233b59 184->186 185->181 189 233b60-233b73 186->189 187->188 190 233a9d-233aa3 187->190 188->183 191 233b92-233b97 189->191 192 233b75-233b88 189->192 193 233aa5-233ab8 190->193 191->185 191->189 192->192 194 233b8a-233b90 192->194 195 233aba 193->195 196 233add-233ae2 193->196 194->191 197 233b9d-233bc2 Sleep 194->197 198 233ac0-233ad3 195->198 196->188 196->193 197->177 198->198 199 233ad5-233adb 198->199 199->196 200 233ae8-233b0d Sleep 199->200 201 233b13-233b1a 200->201 201->180 202 233b1c-233b22 201->202 202->180 203 233bc7-233bd8 call 1d6bd0 202->203 206 233bda-233bdc 203->206 207 233bde 203->207 208 233be0-233bfd call 1d6bd0 206->208 207->208
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00233DB6), ref: 00233B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00233DB6), ref: 00233BBA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: cbd2b23227c764163b82e565c730d7ba753fdfafe39d21a207f76f9d9eaa47c1
                                  • Instruction ID: 58d5852b723b6fdec65a74df0628abc1d573342b87fb31bf3977db330849752b
                                  • Opcode Fuzzy Hash: cbd2b23227c764163b82e565c730d7ba753fdfafe39d21a207f76f9d9eaa47c1
                                  • Instruction Fuzzy Hash: A0519675A1421A8FCB24CF58C8D0EAAB3B2EF44708F29459AD485AB251D731EF55CB80
                                  Function 001EE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 1ee0a0-1ee0d2 WSAStartup 1 1ee0d8-1ee102 call 1d6bd0 * 2 0->1 2 1ee1b7-1ee1c0 0->2 7 1ee10e-1ee165 1->7 8 1ee104-1ee108 1->8 10 1ee167-1ee16d 7->10 11 1ee1b1 7->11 8->2 8->7 12 1ee16f 10->12 13 1ee1c5-1ee1cf 10->13 11->2 14 1ee175-1ee189 socket 12->14 13->11 19 1ee1d1-1ee1d9 13->19 14->11 16 1ee18b-1ee19b connect 14->16 17 1ee19d-1ee1a5 closesocket 16->17 18 1ee1c1 16->18 17->14 20 1ee1a7-1ee1ab 17->20 18->13 20->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 9b8e2b9f8ccdf9c5a564572cf346d5f70fc44e7ee85e290a615afeddcc7e8f3b
                                  • Instruction ID: dc1f3863cb5e9b841858c2b9ce61eb8309fc2f6e8c0407ceba41b320d2aab978
                                  • Opcode Fuzzy Hash: 9b8e2b9f8ccdf9c5a564572cf346d5f70fc44e7ee85e290a615afeddcc7e8f3b
                                  • Instruction Fuzzy Hash: 9D31C171605701AFDB209F298C89B2FB7E4EB85334F015F1DF9A8962E0D33198588B92
                                  Function 002B4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 2b4942-2b494f 22 2b4979-2b498d call 2c5f82 21->22 23 2b4951-2b4974 call 2b4723 21->23 29 2b498f 22->29 30 2b4992-2b499b call 2be11f 22->30 28 2b4ae0-2b4ae2 23->28 29->30 32 2b49a0-2b49af 30->32 33 2b49bf-2b49c8 32->33 34 2b49b1 32->34 37 2b49ca-2b49d7 33->37 38 2b49dc-2b4a10 33->38 35 2b4a89-2b4a8e 34->35 36 2b49b7-2b49b9 34->36 39 2b4ade-2b4adf 35->39 36->33 36->35 40 2b4adc 37->40 41 2b4a6d-2b4a79 38->41 42 2b4a12-2b4a1c 38->42 39->28 40->39 43 2b4a7b-2b4a82 41->43 44 2b4a90-2b4a93 41->44 45 2b4a1e-2b4a2a 42->45 46 2b4a43-2b4a4f 42->46 43->35 49 2b4a96-2b4a9e 44->49 45->46 47 2b4a2c-2b4a3e call 2b4cae 45->47 46->44 48 2b4a51-2b4a6b call 2b4e59 46->48 47->39 48->49 52 2b4ada 49->52 53 2b4aa0-2b4aa6 49->53 52->40 56 2b4aa8-2b4abc call 2b4ae3 53->56 57 2b4abe-2b4ac2 53->57 56->39 58 2b4ad5-2b4ad7 57->58 59 2b4ac4-2b4ad2 call 2d4a10 57->59 58->52 59->58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O+
                                  • API String ID: 0-697038414
                                  • Opcode ID: e021ecfa5ae017e001fb840f4414eb879ae0bf42ed5c1816f6b4ffe798e2c149
                                  • Instruction ID: 3d59fa5a25dffccc328096298d04b9be64e953d814d56c4d2afc959d9de2488e
                                  • Opcode Fuzzy Hash: e021ecfa5ae017e001fb840f4414eb879ae0bf42ed5c1816f6b4ffe798e2c149
                                  • Instruction Fuzzy Hash: F451E530A10108AFDB14EF58CCD5AEABBB5EF49394F248159F8499B253D371AE61CB90
                                  Function 002C4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 64 2c4623-2c4633 65 2c464d-2c464f 64->65 66 2c4635-2c4648 call 2bd22c call 2bd23f 64->66 67 2c498f-2c499c call 2bd22c call 2bd23f 65->67 68 2c4655-2c465b 65->68 84 2c49a7 66->84 87 2c49a2 call 2b47a0 67->87 68->67 70 2c4661-2c468a 68->70 70->67 73 2c4690-2c4699 70->73 76 2c469b-2c46ae call 2bd22c call 2bd23f 73->76 77 2c46b3-2c46b5 73->77 76->87 82 2c498b-2c498d 77->82 83 2c46bb-2c46bf 77->83 85 2c49aa-2c49ad 82->85 83->82 88 2c46c5-2c46c9 83->88 84->85 87->84 88->76 91 2c46cb-2c46e2 88->91 93 2c46e4-2c46e7 91->93 94 2c4717-2c471d 91->94 97 2c470d-2c4715 93->97 98 2c46e9-2c46ef 93->98 95 2c471f-2c4726 94->95 96 2c46f1-2c4708 call 2bd22c call 2bd23f call 2b47a0 94->96 100 2c4728 95->100 101 2c472a-2c472b call 2c6e2d 95->101 125 2c48c2 96->125 99 2c478a-2c47a9 97->99 98->96 98->97 104 2c47af-2c47bb 99->104 105 2c4865-2c486e call 2d0d44 99->105 100->101 110 2c4730-2c4748 call 2c6db3 * 2 101->110 104->105 109 2c47c1-2c47c3 104->109 116 2c48df 105->116 117 2c4870-2c4882 105->117 109->105 113 2c47c9-2c47ea 109->113 130 2c474a-2c4760 call 2bd23f call 2bd22c 110->130 131 2c4765-2c4788 call 2be13d 110->131 113->105 118 2c47ec-2c4802 113->118 122 2c48e3-2c48f9 ReadFile 116->122 117->116 121 2c4884-2c4893 117->121 118->105 123 2c4804-2c4806 118->123 121->116 140 2c4895-2c4899 121->140 126 2c48fb-2c4901 122->126 127 2c4957-2c4962 122->127 123->105 128 2c4808-2c482b 123->128 132 2c48c5-2c48cf call 2c6db3 125->132 126->127 134 2c4903 126->134 148 2c497b-2c497e 127->148 149 2c4964-2c4976 call 2bd23f call 2bd22c 127->149 128->105 135 2c482d-2c4843 128->135 130->125 131->99 132->85 142 2c4906-2c4918 134->142 135->105 136 2c4845-2c4847 135->136 136->105 143 2c4849-2c4860 136->143 140->122 147 2c489b-2c48b3 140->147 142->132 150 2c491a-2c491e 142->150 143->105 168 2c48d4-2c48dd 147->168 169 2c48b5-2c48ba 147->169 151 2c48bb-2c48c1 call 2bd1e5 148->151 152 2c4984-2c4986 148->152 149->125 155 2c4937-2c4944 150->155 156 2c4920-2c4930 call 2c4335 150->156 151->125 152->132 158 2c4946 call 2c448c 155->158 159 2c4950-2c4955 call 2c417b 155->159 172 2c4933-2c4935 156->172 173 2c494b-2c494e 158->173 159->173 168->142 169->151 172->132 173->172
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cbce2af66386c4f071460924e1e42ed86b4ab3c8bcd8bbaa8e3d6c0f0084af9a
                                  • Instruction ID: 1eec5694859d31e97e17caa79805bfb6e964844960e34c4e010c58581e0cc330
                                  • Opcode Fuzzy Hash: cbce2af66386c4f071460924e1e42ed86b4ab3c8bcd8bbaa8e3d6c0f0084af9a
                                  • Instruction Fuzzy Hash: E2B1EF70A24286AFDB11EFA8D861FEFBBB5AF45310F14435DE844A7286C7709961CF60
                                  Function 001DA210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 211 1da210-1da2ab call 2af290 call 1d2ae0 216 1da2b0-1da2bb 211->216 216->216 217 1da2bd-1da2c8 216->217 218 1da2cd-1da2de call 2b5362 217->218 219 1da2ca 217->219 222 1da351-1da357 218->222 223 1da2e0-1da305 call 2b9136 call 2b4eeb call 2b9136 218->223 219->218 225 1da359-1da365 222->225 226 1da381-1da393 222->226 241 1da30c-1da316 223->241 242 1da307 223->242 228 1da377-1da37e call 2af511 225->228 229 1da367-1da375 225->229 228->226 229->228 231 1da394-1da3ae call 2b47b0 229->231 238 1da3b0-1da3bb 231->238 238->238 240 1da3bd-1da3c8 238->240 243 1da3cd-1da3df call 2b5362 240->243 244 1da3ca 240->244 245 1da328-1da32f call 23cf60 241->245 246 1da318-1da31c 241->246 242->241 255 1da3fc-1da403 243->255 256 1da3e1-1da3f9 call 2b9136 call 2b4eeb call 2b8be8 243->256 244->243 251 1da334-1da33a 245->251 247 1da31e 246->247 248 1da320-1da326 246->248 247->248 248->251 253 1da33c 251->253 254 1da33e-1da349 call 2bdbdf call 2b8be8 251->254 253->254 271 1da34e 254->271 257 1da42d-1da433 255->257 258 1da405-1da411 255->258 256->255 261 1da423-1da42a call 2af511 258->261 262 1da413-1da421 258->262 261->257 262->261 265 1da434-1da45e call 2b47b0 262->265 278 1da46f-1da474 265->278 279 1da460-1da464 265->279 271->222 279->278 280 1da466-1da46e 279->280
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: d94903c21dad1e32ad96972abe475de2cd049062c9e2d6094e54a5041463c5f3
                                  • Instruction ID: f6fc30bbc52a47073bc3d09f67c4d993488205b205a52b07a0ab8d25065d111f
                                  • Opcode Fuzzy Hash: d94903c21dad1e32ad96972abe475de2cd049062c9e2d6094e54a5041463c5f3
                                  • Instruction Fuzzy Hash: 39716971910204AFDB14DF68CC49BAEB7E9EF41340F54856EF8089B382D7B5DA41CB92
                                  Function 055505E2 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 281 55505e2-55505e7 282 5550660-5550668 281->282 283 55505e9-55505f1 281->283 284 5550695-5550697 282->284 285 555066a-5550694 call 5550688 282->285 286 55505f3-55505f7 283->286 287 55505f8-555065b call 5550672 283->287 289 5550699-5550842 284->289 290 5550678-5550697 284->290 285->284 286->287 287->282 316 555084d-555086e GetCurrentHwProfileW 289->316 290->289 290->290 318 5550885-555091a call 555091c 316->318
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ede16bad1e53b09965d13fd1d0e9205211c4d9b0fc451735c7a7c60449aba505
                                  • Instruction ID: 772010e2aa013a85d0a9e771347a198dda59ef75fe8e3f16edf3c974dbff6166
                                  • Opcode Fuzzy Hash: ede16bad1e53b09965d13fd1d0e9205211c4d9b0fc451735c7a7c60449aba505
                                  • Instruction Fuzzy Hash: 2841F3F724C211BDA212D5511B7CAFA276FF6D27307308C2BFC03C65A2E2940A4E55B1
                                  Function 05550644 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 328 5550644-555064e 329 5550650-5550651 328->329 330 5550613-555063f 328->330 332 5550611 329->332 333 5550653-5550655 329->333 334 5550658-5550668 call 5550672 330->334 332->330 333->334 338 5550695-5550697 334->338 339 555066a-5550694 call 5550688 334->339 341 5550699-5550842 338->341 342 5550678-5550697 338->342 339->338 362 555084d-555086e GetCurrentHwProfileW 341->362 342->341 342->342 364 5550885-555091a call 555091c 362->364
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5a4d4fb69204f39f3a39e9d0901973500c8e18f551b3397f4d7f9f722c048b9f
                                  • Instruction ID: ecd238f1915baab819f46807a5bb6f5af2d95c74631d2a4e9960336b57aa8941
                                  • Opcode Fuzzy Hash: 5a4d4fb69204f39f3a39e9d0901973500c8e18f551b3397f4d7f9f722c048b9f
                                  • Instruction Fuzzy Hash: 985129B724C211BEA211D551577CAF6676FFBD23307308C2BFC03C65A2E2944A4E55B1
                                  Function 055505DD Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 374 55505dd-5550668 call 5550672 384 5550695-5550697 374->384 385 555066a-5550694 call 5550688 374->385 387 5550699-5550842 384->387 388 5550678-5550697 384->388 385->384 408 555084d-555086e GetCurrentHwProfileW 387->408 388->387 388->388 410 5550885-555091a call 555091c 408->410
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 781348ef2e2a893dac87d9f9756827b190d25ca30cb69a6b0d6cf044aa2a3e3c
                                  • Instruction ID: 302a8f846235402e27be5334d9832c603eb0c4a030c2ffa2d5361e65b8fcf60a
                                  • Opcode Fuzzy Hash: 781348ef2e2a893dac87d9f9756827b190d25ca30cb69a6b0d6cf044aa2a3e3c
                                  • Instruction Fuzzy Hash: 4941C0B724C211BEA211D5526A7CAFA676FF6D27307308C2BFC03C65A2E2940A4E55B1
                                  Function 055505FE Relevance: 1.7, APIs: 1, Instructions: 218COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 420 55505fe-5550668 call 5550672 427 5550695-5550697 420->427 428 555066a-5550694 call 5550688 420->428 430 5550699-5550842 427->430 431 5550678-5550697 427->431 428->427 451 555084d-555086e GetCurrentHwProfileW 430->451 431->430 431->431 453 5550885-555091a call 555091c 451->453
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 361b5c81c8be573c0b40275af569d56f07e683eb2b8d2d66e509e2fd6191a1fa
                                  • Instruction ID: 913114036b2a9786269faecbf9e711c4ec4b8054501a538715e102aacb68a3dc
                                  • Opcode Fuzzy Hash: 361b5c81c8be573c0b40275af569d56f07e683eb2b8d2d66e509e2fd6191a1fa
                                  • Instruction Fuzzy Hash: 0E412AB724C211BEA201D5615B7CAFA676FFBD27307308C2BFC03C65A2E2944A4E55B1
                                  Function 05550625 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 463 5550625-5550668 call 5550672 469 5550695-5550697 463->469 470 555066a-5550694 call 5550688 463->470 472 5550699-5550842 469->472 473 5550678-5550697 469->473 470->469 493 555084d-555086e GetCurrentHwProfileW 472->493 473->472 473->473 495 5550885-555091a call 555091c 493->495
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5e52fa6dfb70e007e3df0601ee701cf31ae249c38dd199b84c2eeffcf8d9c8f3
                                  • Instruction ID: ec01e972e56a12b690cf7854bbb56a76726009c4cd8abb47d41c6cb269b8ddee
                                  • Opcode Fuzzy Hash: 5e52fa6dfb70e007e3df0601ee701cf31ae249c38dd199b84c2eeffcf8d9c8f3
                                  • Instruction Fuzzy Hash: 7F41E4B724C211BEA211D5516B7CAFA676FFBD27307308C2BF803C65A2E2944A4E55B1
                                  Function 05550631 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 505 5550631-5550668 call 5550672 509 5550695-5550697 505->509 510 555066a-5550694 call 5550688 505->510 512 5550699-5550842 509->512 513 5550678-5550697 509->513 510->509 533 555084d-555086e GetCurrentHwProfileW 512->533 513->512 513->513 535 5550885-555091a call 555091c 533->535
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 33bd0dfb3ad8e1745c86becead827ea34579c7c16914eb405d2aa99838b2b3f7
                                  • Instruction ID: 222bd5e671c3da26496bdf142f1ce15f1d04f374c5f2da992dbac3a5457e53eb
                                  • Opcode Fuzzy Hash: 33bd0dfb3ad8e1745c86becead827ea34579c7c16914eb405d2aa99838b2b3f7
                                  • Instruction Fuzzy Hash: 8D41E5B724C211BEA211D5515B7CAFA676FFBD27307308C2BFC03C65A2E2944A4E55B1
                                  Function 002C549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 545 2c549c-2c54be 546 2c54c4-2c54c6 545->546 547 2c56b1 545->547 548 2c54c8-2c54e7 call 2b4723 546->548 549 2c54f2-2c5515 546->549 550 2c56b3-2c56b7 547->550 556 2c54ea-2c54ed 548->556 552 2c551b-2c5521 549->552 553 2c5517-2c5519 549->553 552->548 555 2c5523-2c5534 552->555 553->552 553->555 557 2c5536-2c5544 call 2be17d 555->557 558 2c5547-2c5557 call 2c4fe1 555->558 556->550 557->558 563 2c5559-2c555f 558->563 564 2c55a0-2c55b2 558->564 565 2c5588-2c559e call 2c4bb2 563->565 566 2c5561-2c5564 563->566 567 2c5609-2c5629 WriteFile 564->567 568 2c55b4-2c55ba 564->568 588 2c5581-2c5583 565->588 569 2c556f-2c557e call 2c4f79 566->569 570 2c5566-2c5569 566->570 572 2c562b-2c5631 567->572 573 2c5634 567->573 574 2c55bc-2c55bf 568->574 575 2c55f5-2c5607 call 2c505e 568->575 569->588 570->569 576 2c5649-2c564c 570->576 572->573 580 2c5637-2c5642 573->580 581 2c55e1-2c55f3 call 2c5222 574->581 582 2c55c1-2c55c4 574->582 596 2c55dc-2c55df 575->596 583 2c564f-2c5651 576->583 590 2c56ac-2c56af 580->590 591 2c5644-2c5647 580->591 581->596 582->583 584 2c55ca-2c55d7 call 2c5139 582->584 593 2c567f-2c568b 583->593 594 2c5653-2c5658 583->594 584->596 588->580 590->550 591->576 599 2c568d-2c5693 593->599 600 2c5695-2c56a7 593->600 597 2c565a-2c566c 594->597 598 2c5671-2c567a call 2bd208 594->598 596->588 597->556 598->556 599->547 599->600 600->556
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,002B9087,?,00000000,00000000,00000000,?,00000000,?,001DA3EB,002B9087,00000000,001DA3EB,?,?), ref: 002C5621
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: b6a3f53bd7ffe5a7867a8cb4df4a9c5db8ae7d68f96da61d61ca155b4e33a6eb
                                  • Instruction ID: 0b2bf8ecbf409e0eff72e725c6d0b3b100a44fc7f8e8ebd2977f33dae01c085e
                                  • Opcode Fuzzy Hash: b6a3f53bd7ffe5a7867a8cb4df4a9c5db8ae7d68f96da61d61ca155b4e33a6eb
                                  • Instruction Fuzzy Hash: 8961C871D2052AAFDF15DFA8C844FEEBBB9AF05344F54024DE804A7215D371E9A1CBA0
                                  Function 05550672 Relevance: 1.7, APIs: 1, Instructions: 190COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 603 5550672-5550676 call 5550688 605 5550678-5550697 603->605 605->605 606 5550699-5550842 605->606 625 555084d-555086e GetCurrentHwProfileW 606->625 627 5550885-555091a call 555091c 625->627
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f426e69c676a455771f671be96908f92c798c3e3867c3eaf4e1436ac50cb991f
                                  • Instruction ID: e0a05e04cf8be2e0b00582b4033fa11684a052aa8379e58635262a4a1bd64c89
                                  • Opcode Fuzzy Hash: f426e69c676a455771f671be96908f92c798c3e3867c3eaf4e1436ac50cb991f
                                  • Instruction Fuzzy Hash: 8741E5B754C211BDB211D5515B7CAFA676FF7D2330730882BF803C5592E3940A4E55B1
                                  Function 055506B8 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 637 55506b8-5550842 653 555084d-555086e GetCurrentHwProfileW 637->653 655 5550885-555091a call 555091c 653->655
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 05b87d5cce0a668ca9655c9bc5b7b995d60e8a9a0bfa47a2ed5d29611650dd64
                                  • Instruction ID: 04238e435f0c198f72a12cea910f772d3fb2b70ee9d9f1c8b06366977507106f
                                  • Opcode Fuzzy Hash: 05b87d5cce0a668ca9655c9bc5b7b995d60e8a9a0bfa47a2ed5d29611650dd64
                                  • Instruction Fuzzy Hash: 1031E0B7148214BDB211C5516B68EFA67AFF6D6730730882BF803D66A2E3900A8D59B1
                                  Function 05550688 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 665 5550688-5550842 684 555084d-555086e GetCurrentHwProfileW 665->684 686 5550885-555091a call 555091c 684->686
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 0604a58f7497522961b0274baed858a7f7ec0899675d411b3c937c1c880b80ec
                                  • Instruction ID: b3309e682fad6350996e3c07b1185fa13d609f3691e1cfc811ac99d0e4ae8c09
                                  • Opcode Fuzzy Hash: 0604a58f7497522961b0274baed858a7f7ec0899675d411b3c937c1c880b80ec
                                  • Instruction Fuzzy Hash: 8231DDFB14C211BDB102D1922B3CEFA676FF6D67307308C2BB803D56A2E2940A8D55B1
                                  Function 055506C0 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2b215db421f43e1036faf4446dafc861bc29a30f8dbf45af031e26a99b64afee
                                  • Instruction ID: 94499797a1b7cfea4a44290d695585cecbec624ae5b7a2488d9dfc4e59d32fb7
                                  • Opcode Fuzzy Hash: 2b215db421f43e1036faf4446dafc861bc29a30f8dbf45af031e26a99b64afee
                                  • Instruction Fuzzy Hash: 5331F3B7148214BDB201C6515B68EFA677FF7D67307308C2BF803D6292E7900A8D59B1
                                  Function 055506A6 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9154d203c6d0216083319044c0c5aaf05de5db5dfe158868868589aaea9abb13
                                  • Instruction ID: 2cf6b63f89464e71493d2fb2c57bfab9b8acafc6b35e6cc0a314636ff7b08fae
                                  • Opcode Fuzzy Hash: 9154d203c6d0216083319044c0c5aaf05de5db5dfe158868868589aaea9abb13
                                  • Instruction Fuzzy Hash: D231DDBB248215BDB101D1512B7CEFB676FF6D67307308C2BB803D5592E2940A8E55B1
                                  Function 05550705 Relevance: 1.7, APIs: 1, Instructions: 160COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e06343ec7c84e728df3f004f538834d5442749688ba010a3655d5e2f0f1b7ff4
                                  • Instruction ID: 63af3bf57b4040807cbcb9f4cb3054bdc5e2cb1cb944a9652fcf6445f49dfd5d
                                  • Opcode Fuzzy Hash: e06343ec7c84e728df3f004f538834d5442749688ba010a3655d5e2f0f1b7ff4
                                  • Instruction Fuzzy Hash: AF31E4BB24C211BDB111C5916B6CEF6677FF7D6730730882BF803D6192E3940A8A95B1
                                  Function 05550724 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6deafdff27f1b21310d240fbdc2395d86742d58605fd8f2adc54c11f50252dc1
                                  • Instruction ID: e91e0514406852cbf9ab1d5ac920c68184c0cce505752f77ccd8d88586513268
                                  • Opcode Fuzzy Hash: 6deafdff27f1b21310d240fbdc2395d86742d58605fd8f2adc54c11f50252dc1
                                  • Instruction Fuzzy Hash: F1319EFB248215BDB112D1912B6CEFA676FF6D2730730882BF803D5592E6940A8E55B2
                                  Function 0555074E Relevance: 1.6, APIs: 1, Instructions: 143COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 609018f123b3e59c1ed13f7f1ae6237e76af3949c8da8f60ee42529aff2de1ef
                                  • Instruction ID: 4e5488b3481429994bbb3de1fbbe7ae433db8a7bd24b7d7536b0a65fd99765f1
                                  • Opcode Fuzzy Hash: 609018f123b3e59c1ed13f7f1ae6237e76af3949c8da8f60ee42529aff2de1ef
                                  • Instruction Fuzzy Hash: 7A21AEFB248211BDB102D5916B6CEFB676FF7D2730B30882BF803C6552E7944A8A55B1
                                  Function 05550737 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 85a34fdac45f8793d1edf6221de23be727bd34adb87cfe2c54d9304f87f0f544
                                  • Instruction ID: 294bea5d726db3d2484ad3ad2d76f43a0bb126bcba79e5fcb6deab821aea14c3
                                  • Opcode Fuzzy Hash: 85a34fdac45f8793d1edf6221de23be727bd34adb87cfe2c54d9304f87f0f544
                                  • Instruction Fuzzy Hash: 1C21CEBB24C211BDB111C5912B28EFA676FF7D2730B30882BF803C6192E7940A8E55B1
                                  Function 05550799 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 51d3835c3a866390caa36e6b8745df0e95dac44a08c7a8f6f1882b5a6f2df0ef
                                  • Instruction ID: b194168e2d5a4b9f35cb1bac5085ec9c7415acac25b184607e97703c7267fd31
                                  • Opcode Fuzzy Hash: 51d3835c3a866390caa36e6b8745df0e95dac44a08c7a8f6f1882b5a6f2df0ef
                                  • Instruction Fuzzy Hash: 1721C0F7248215BDB102C5912B2CEF7676FF7D2730B30882BF803D6592E7940A8A55B1
                                  Function 00240560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 002406AE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: a1c8e622623835b998cf8cc06c1d61e46e000331704331033eb58043c80a4e0b
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: FD41E372A101149BCB19EF68D9C06AE7BA9EF89350F550169FD05DB302DB70DDB08BE1
                                  Function 0555078E Relevance: 1.6, APIs: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 24495979f93ac82e5ecfe14a69feac6bc80abfc33fb83e7d76f0ee177e84ee6e
                                  • Instruction ID: b766f8e30a26bb8b880a76895f1171aae37a9850bff8fa8c27f6a68da758fbfd
                                  • Opcode Fuzzy Hash: 24495979f93ac82e5ecfe14a69feac6bc80abfc33fb83e7d76f0ee177e84ee6e
                                  • Instruction Fuzzy Hash: A711F3B7248215BDB102D1501B78EF627AFF7D6730B304827B803C6591E6900A8A95F0
                                  Function 055507AF Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a365dd5e0c7b74639ac24d03c1d50e2fbc889400aa19f8de137c2f72637b967b
                                  • Instruction ID: 0d5e79ebf637772bdba049e21fe7c370b3760aab31b17b3f8a015fd550bca51a
                                  • Opcode Fuzzy Hash: a365dd5e0c7b74639ac24d03c1d50e2fbc889400aa19f8de137c2f72637b967b
                                  • Instruction Fuzzy Hash: E51108B724C215ADE602C5901768EF6676FFBD3730B304877E803D6551E6D00A4A95F1
                                  Function 055507E2 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9c2a3eaa5b7dabe3480c3fe42b0f788ca997219131a8736c006af78139af7057
                                  • Instruction ID: e9e76098ea3d7fb4dbf799964dc6f30ecc1c014e0de806f4d8fc32ac6940477b
                                  • Opcode Fuzzy Hash: 9c2a3eaa5b7dabe3480c3fe42b0f788ca997219131a8736c006af78139af7057
                                  • Instruction Fuzzy Hash: 5D0108B7148215FDA502D1501A78EF667BFFBD7730B304C27B803D6291F6904A8945F1
                                  Function 055507FD Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: cc41b91bbc9440f96f26537c2d7f2a1e74e88aa89b6bebeac3df8c31d0d03250
                                  • Instruction ID: a1b6f5ad02514c6525f03c1bb58c935dc0d674b3494454c512fa6b204416a325
                                  • Opcode Fuzzy Hash: cc41b91bbc9440f96f26537c2d7f2a1e74e88aa89b6bebeac3df8c31d0d03250
                                  • Instruction Fuzzy Hash: 810104A7148215BDA502D1901A78EF667BFFBD7730B304827B803D6691E6900A8949F1
                                  Function 0555081A Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 975ed612c5140f979ad8140793e74765ffee90ee10bba111169baaaf75fba771
                                  • Instruction ID: d6842e38345e8090a011f9bfb3bb69d8a91cee3d6c6170dc97eac1264bec9470
                                  • Opcode Fuzzy Hash: 975ed612c5140f979ad8140793e74765ffee90ee10bba111169baaaf75fba771
                                  • Instruction Fuzzy Hash: 9701DFE7248215FDA10295901B78EF667BFFBE77307304827B803C6692E7900A8995F2
                                  Function 002C4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002C49F9,00000000,CF830579,00301140,0000000C,002C4AB5,002B8BBD,?), ref: 002C4B68
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 0dd8eeca34b2adc6eb0708bdb9b346fbb430cdae37e7a17d049a979942e43588
                                  • Instruction ID: 95ef94dfea4a1b9e4e5e878531ea005bd6ec76b0a59cd306d42995e6d7ffdec0
                                  • Opcode Fuzzy Hash: 0dd8eeca34b2adc6eb0708bdb9b346fbb430cdae37e7a17d049a979942e43588
                                  • Instruction Fuzzy Hash: 26114832E7112816DB297A356826FBF679D8B8277CF39030EFC089B0C2EE61DC614155
                                  Function 0555089C Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: dab0b0b7d4b35f853bb8030539d7b40786e3c20fc947daa6b79c5f199553cf6e
                                  • Instruction ID: c0361f66e6beff4eb05c47cbc9430afc20a770fb2a32b385821de64dcd938dc3
                                  • Opcode Fuzzy Hash: dab0b0b7d4b35f853bb8030539d7b40786e3c20fc947daa6b79c5f199553cf6e
                                  • Instruction Fuzzy Hash: 9E014CB650C315EEDA12D6504A38EF67B7ABB837307300857AC43961D1E6900A49C6F1
                                  Function 05550838 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(0000D31D), ref: 05550867
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505887367.0000000005550000.00000040.00001000.00020000.00000000.sdmp, Offset: 05550000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5550000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: b34a445e6b92bbd67cd8380cf19e348ee2e6f2259c3e911ffa21c1657eda3847
                                  • Instruction ID: 7b1fbb13942787d67a597735ab9943af8b5abcf946bd1826d180fb3bf071633d
                                  • Opcode Fuzzy Hash: b34a445e6b92bbd67cd8380cf19e348ee2e6f2259c3e911ffa21c1657eda3847
                                  • Instruction Fuzzy Hash: EC012BF6508315EEE602D6604A78EFA7B7ABB977307200867A843D72C2E7900A4586F1
                                  Function 002BE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00300DF8,001DA3EB,00000002,001DA3EB,00000000,?,?,?,002BE166,00000000,?,001DA3EB,00000002,00300DF8), ref: 002BE098
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 8eb8ffe171fd2b27d908991b4441584507ec3e3dedece62d444d193ea6598438
                                  • Instruction ID: d10d34f5a02a0c7582e0f93b519f0a188808c780a09b9f55ad3075c0c863677a
                                  • Opcode Fuzzy Hash: 8eb8ffe171fd2b27d908991b4441584507ec3e3dedece62d444d193ea6598438
                                  • Instruction Fuzzy Hash: 8A012632620119AFCF05AF19CC05CDE3B6ADB81360F350209F850AB2D1EAB2ED618BD0
                                  Function 002AF290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D220E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: dc230ebe102efb051326ae556abab537d7f128e004c28a2706078cc2e29e7cfa
                                  • Instruction ID: f6c265f93404b6fbafc7c157f7a985d444585bc0bb31918bd4848bbf0e1ec043
                                  • Opcode Fuzzy Hash: dc230ebe102efb051326ae556abab537d7f128e004c28a2706078cc2e29e7cfa
                                  • Instruction Fuzzy Hash: 8801203541030D67CB14AF98E801A9977AC9A01350B408436FE19DBA91EB70D9748B94
                                  Function 002C63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,002B91F7,00000000,?,002C5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,002BD244,002B89C3,002B91F7,00000000), ref: 002C6434
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 7d48cde3858231759f3451e53adca166c94f0dd86ebe2bc1df611292b6a37e4b
                                  • Instruction ID: 45814a5d8388ea79892f7fcb45facbcc1747f85c78d1e13181af6c607d2c6e40
                                  • Opcode Fuzzy Hash: 7d48cde3858231759f3451e53adca166c94f0dd86ebe2bc1df611292b6a37e4b
                                  • Instruction Fuzzy Hash: EDF0E93153512666DB396F629C0BF6B3B8C9F417B0F25832DEC04A6480CA70EC3046F1
                                  Function 002C6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,002CD635,4D88C033,?,002CD635,00000220,?,002C57EF,4D88C033), ref: 002C6E60
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 489302c3a4058ae832e7abd2116c50abdcdeeba224fd33f95b20fe7a6f23aa7d
                                  • Instruction ID: c7948cd59d642bf2cdfa5dad6e184d46fa525bfde2dd25c8f5d5b6481ccc49b0
                                  • Opcode Fuzzy Hash: 489302c3a4058ae832e7abd2116c50abdcdeeba224fd33f95b20fe7a6f23aa7d
                                  • Instruction Fuzzy Hash: 8CE0ED3913162A6ADA313AA5CD09FAB764C8B823B0F05072BEC04924D2DB60C83085A4
                                  Function 0556005E Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 65e7d48ee1d7f4ed1acd2bcc25b497dd243e56c887095ff5f966f1eae516ff09
                                  • Instruction ID: 84d1f2dfedb8a6964b8dcb18b7e2ebedcb650104456141db9ba3ca5bd142a705
                                  • Opcode Fuzzy Hash: 65e7d48ee1d7f4ed1acd2bcc25b497dd243e56c887095ff5f966f1eae516ff09
                                  • Instruction Fuzzy Hash: A731D2EB28D2A47EB242D585BF1CDF76B6EF5C7730330886BF402C2592E2A50A4D9171
                                  Function 055600F6 Relevance: .1, Instructions: 133COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fedd2a8c20855aca1ed24b6fa3b92cb69e2a66fe90a103d56702991926638ba6
                                  • Instruction ID: b80db6da32fc368322d914b7c646bc8d59de2f8bcd0d31654b09b5b7cddd7ff2
                                  • Opcode Fuzzy Hash: fedd2a8c20855aca1ed24b6fa3b92cb69e2a66fe90a103d56702991926638ba6
                                  • Instruction Fuzzy Hash: 61219FEB28D1647DB142D1C67F28DF6AB2EE5C3B70330C83BF502C2542E2950A5E5171
                                  Function 05560110 Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9e95b15fccfffab75fd9d7e80f245130c9522633a2f764fb7cdb55b93ae42b30
                                  • Instruction ID: b5da5ac6b3ac9c67d2529c1185e3233fbb86b39f7609695757501aa7fbf84c15
                                  • Opcode Fuzzy Hash: 9e95b15fccfffab75fd9d7e80f245130c9522633a2f764fb7cdb55b93ae42b30
                                  • Instruction Fuzzy Hash: 622181EB28C1647DB142E5866F189F7A76EF5C3B70330883AF402C2552E2A54A9D6171
                                  Function 05560134 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 60d13adca72e0ef1edfa154ce3c1a40d8306b9bed651da3ec8045a7dfa09a0fc
                                  • Instruction ID: f6b51d40150227109a93f50d930df24b0445531cea33ac017378f6078fddebee
                                  • Opcode Fuzzy Hash: 60d13adca72e0ef1edfa154ce3c1a40d8306b9bed651da3ec8045a7dfa09a0fc
                                  • Instruction Fuzzy Hash: 94113AEB2891647DB18291C66F18DF7AB2EF1C3B70330882AF502C2542E2A84E9D6171
                                  Function 05560143 Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d80ba642898e264d4492f1f55f146ce73c1df765aeacf759226e74d1a4c40552
                                  • Instruction ID: 12e3c980a82562f72bfff8d2e4bf83bb6cd6421ba1f3868ea04ba22ac071d4cb
                                  • Opcode Fuzzy Hash: d80ba642898e264d4492f1f55f146ce73c1df765aeacf759226e74d1a4c40552
                                  • Instruction Fuzzy Hash: F611B1EB1891507CB152D1C66F189F6AB6EF5C3730330882BF042C2582E2940A5D5271
                                  Function 05560171 Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5762b9d70d0cce97e0551b4799b8419446437a0f5a4dc60f2c157390963f9528
                                  • Instruction ID: 0493e5a2f04fd4eee72de30fd49b713a6a0961401232e6a5f7d150c76a9e5244
                                  • Opcode Fuzzy Hash: 5762b9d70d0cce97e0551b4799b8419446437a0f5a4dc60f2c157390963f9528
                                  • Instruction Fuzzy Hash: 09115EEB1892643DB14291C62F18EFBAB6EE5D3B71330883BF802C2482E2990E5D5171
                                  Function 055601AB Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4505941566.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_5560000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5699f0fd8511305435a85388c2ffa6ba57736057ffd9d246bf5928251dd165e8
                                  • Instruction ID: 1cb2547efcc417f75a4df02794ff48374775c52804ebe83214a08aae5f1e3069
                                  • Opcode Fuzzy Hash: 5699f0fd8511305435a85388c2ffa6ba57736057ffd9d246bf5928251dd165e8
                                  • Instruction Fuzzy Hash: 14F0ECEB18D1507CB15291C62B18AF6AB6EF5D7771330892BF403C5942E2D90A5E6171

                                  Non-executed Functions

                                  Function 002B84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: bbe6706893308522768bf0182de4f41967739c2473e0555e83ee2cd9eb29734f
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: D1023C71E1121A9BDF14CFA9C8806EEFBB9FF48354F248269D519E7380DB31A951CB90
                                  Function 0023F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0023F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0023F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0023FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"/
                                  • API String ID: 3375549084-1188037619
                                  • Opcode ID: 3a285ebabcfa9536c5826a11c3945500fc87f063c9472b171645b06cb9342405
                                  • Instruction ID: 1a52b5d5bccc1307b6ae5a42b191efb5dc6b5cc2003d162fc4a11836d4e7bd55
                                  • Opcode Fuzzy Hash: 3a285ebabcfa9536c5826a11c3945500fc87f063c9472b171645b06cb9342405
                                  • Instruction Fuzzy Hash: BA61CFB1D202099BEF10DFA4EA45BDEBBB4AF15310F144069E805AB381EB74E915CF91
                                  Function 002B2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 002B2E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 002B2E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 002B2ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 002B2F03
                                  • _ValidateLocalCookies.LIBCMT ref: 002B2F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i0$csm
                                  • API String ID: 1170836740-1866805317
                                  • Opcode ID: dbee62e5149e73ae7240dafcf94d0ef21dbe0738c8ed8b61c4f323501c396f79
                                  • Instruction ID: 32ac7f7cfeadbd2963840aa2b7b08df8b3fef845df534a84ea462bafd154c1fa
                                  • Opcode Fuzzy Hash: dbee62e5149e73ae7240dafcf94d0ef21dbe0738c8ed8b61c4f323501c396f79
                                  • Instruction Fuzzy Hash: CA41C430A20309DBCF10DF69C885AEEBBB5EF45394F148055E8149B792D771EE69CB90
                                  Function 001D39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001D3A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001D3AA4
                                  • __Getctype.LIBCPMT ref: 001D3ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001D3AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001D3B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: e336c04381489506ce98469e20e1aa0013bd86d0ae350632ed8ca0ff762a92d3
                                  • Instruction ID: 7eec70bbacd63bb50638145529670cbaa62c8c05c7e4b56e60d9b2299b9eeca0
                                  • Opcode Fuzzy Hash: e336c04381489506ce98469e20e1aa0013bd86d0ae350632ed8ca0ff762a92d3
                                  • Instruction Fuzzy Hash: B55144B1D102489FDF10DFA4D945BDDBBB8AF15310F14406AE819AB381EB75DA14CB52
                                  Function 0023DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0023DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0023DF7B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 3fcc8f2dd8ce59d5b053b5e8679bbf7d017a903f953f1645709824ea4ad6a51e
                                  • Instruction ID: c3f5f2e51c86c7bb40ed35f79696e9488f9dac318875ddca51c4b69ee872915a
                                  • Opcode Fuzzy Hash: 3fcc8f2dd8ce59d5b053b5e8679bbf7d017a903f953f1645709824ea4ad6a51e
                                  • Instruction Fuzzy Hash: D04123B5D202169FCB15DF54E881B6EBBB8FB11710F10426AE816AB752DB30AD21CBD1
                                  Function 001D4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D4F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D4FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D50C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 001D504C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: ca26052e8f98b9b1c5fd7b2aee9a1f6a4e2ad062376d2f9617a647aa7de53046
                                  • Instruction ID: 977c9e67eec8c3d12b2928d7d57d3ff8a05cdf20fcdf868f4a016b3e73774ee2
                                  • Opcode Fuzzy Hash: ca26052e8f98b9b1c5fd7b2aee9a1f6a4e2ad062376d2f9617a647aa7de53046
                                  • Instruction Fuzzy Hash: FBE1E2B19106049FCB28DF68D895BAEF7F9FF44300F144A2EE45693781E774A914CBA1
                                  Function 001D7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D7B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 3b9fabe72a022adb020c0c12b9e90c2a241c656b08d31f4bc3cdd6034f6d1ebb
                                  • Instruction ID: b674fd593ab362357c3c0e7f3f47a3c52fb226ef3aaf768fe579279ba3ba9650
                                  • Opcode Fuzzy Hash: 3b9fabe72a022adb020c0c12b9e90c2a241c656b08d31f4bc3cdd6034f6d1ebb
                                  • Instruction Fuzzy Hash: CAC156B1D002088FDB08DFA8E9947ADFBF1AB49310F14866AE419EB791E7749984CB54
                                  Function 001D2270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 001D2275
                                    • Part of subcall function 002AD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 002AD6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L0$L0
                                  • API String ID: 1997705970-1638608421
                                  • Opcode ID: 8490484e3ed718928e4d1e8a565281a0dd77244087875b57fcc25a8bd79cf534
                                  • Instruction ID: de67a2654fe37548eab6af86c684d8b2c2d8ca9ac42ef4583abea7e05da30beb
                                  • Opcode Fuzzy Hash: 8490484e3ed718928e4d1e8a565281a0dd77244087875b57fcc25a8bd79cf534
                                  • Instruction Fuzzy Hash: 5A812475A042859FDB06CF68C4607EEBFB1FF6A300F18416BC9A4A7742C3798645CBA1
                                  Function 001D73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D75BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D75CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: a779f5afa5746bba6e7bcc490a89991268e862839603d05a9dfb9a4c50c47bcc
                                  • Instruction ID: f8274f8b0619eec22966156a4b9cc3753fa667d835134da4d6afd29bb93263c5
                                  • Opcode Fuzzy Hash: a779f5afa5746bba6e7bcc490a89991268e862839603d05a9dfb9a4c50c47bcc
                                  • Instruction Fuzzy Hash: B4610571A042049FDB08DF68EC94BADBBB6FF45300F24462DE415A77C1E774AA54CB91
                                  Function 001D3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 707a96433d09361d8b954ffb32816a226e6dcaa87bebb2d08964994ae3619097
                                  • Instruction ID: ec34735bd9e8b85d09d64430255fba95bba96aaf582367922541d2baf12672df
                                  • Opcode Fuzzy Hash: 707a96433d09361d8b954ffb32816a226e6dcaa87bebb2d08964994ae3619097
                                  • Instruction Fuzzy Hash: 5841C5B6900208AFCB04DF58C845BEEB7F9EB49310F14852BF925D7741E770AA108FA5
                                  Function 001D3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 4c5ac9e67b2228a806689556943bbb9949273588420191857d46ac2ed5ff40eb
                                  • Instruction ID: 377aa51063d13f367f4840f4c5d71e4863d2eb10996cc4b1115d37f6eaa61e45
                                  • Opcode Fuzzy Hash: 4c5ac9e67b2228a806689556943bbb9949273588420191857d46ac2ed5ff40eb
                                  • Instruction Fuzzy Hash: 3D2108B2510305AFC714DF58D801B96F7D8AB04350F08883BFA6987781E770EA248B91
                                  Function 001D6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D7340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 73a6082c3ff85059db49390955e41f1bd66eacc0b976afd20812c25158f06e09
                                  • Instruction ID: eb281dc5de3bb0acc2be8a8c4f6e7498bb6ea29e511a4267ecd604c83117a59a
                                  • Opcode Fuzzy Hash: 73a6082c3ff85059db49390955e41f1bd66eacc0b976afd20812c25158f06e09
                                  • Instruction Fuzzy Hash: FBE18F70D042489FDB18CF68C8947ADBBB1FF49300F248269E419EB792E7749A85CF50
                                  Function 001D6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D6F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D6F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 790557b696969aa77a97655168e22b0a79a0199f93f43922184a62aab90735dd
                                  • Instruction ID: ba68b37dc7840d83bdf5039b0c62cf856077ec49cbe9eea90d9e23d64c62cecb
                                  • Opcode Fuzzy Hash: 790557b696969aa77a97655168e22b0a79a0199f93f43922184a62aab90735dd
                                  • Instruction Fuzzy Hash: AA91E770A002049FDB18CF68D994BAEFBF6FF45300F20862DE415AB792D775A945CB90
                                  Function 0024B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 0024B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px$$invalid hash bucket count
                                  • API String ID: 909987262-1721581971
                                  • Opcode ID: df294b54a20dd5a98ea27c473de565f593aa9ed9f68095b67a8a92996a04e3e6
                                  • Instruction ID: fa0e18405247401935543f78bc820eb99f49c8f540618882be5deb9f32f00551
                                  • Opcode Fuzzy Hash: df294b54a20dd5a98ea27c473de565f593aa9ed9f68095b67a8a92996a04e3e6
                                  • Instruction Fuzzy Hash: 207124B4A10605DFCB19CF58C18086AFBF9FF88300764C5AAD8599B355D771EA62CF90
                                  Function 0024E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0024E491
                                  Strings
                                  • type must be string, but is , xrefs: 0024E4F8
                                  • type must be boolean, but is , xrefs: 0024E582
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4496522566.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000006.00000002.4496423630.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496522566.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4496985101.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4497069031.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498257150.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4498654718.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: d9e71b3e7803f4f63ff18a054844532d87a8d4852e94ac18ae2da5fb9f9817d1
                                  • Instruction ID: e82ddf4cbe23fb6ceade92774aaa7aa7429cd0174a1844fb0c2665c534010f04
                                  • Opcode Fuzzy Hash: d9e71b3e7803f4f63ff18a054844532d87a8d4852e94ac18ae2da5fb9f9817d1
                                  • Instruction Fuzzy Hash: 6F417CB1910248AFEF18EBA4D842BDEB7A8EB10310F144675F815D77C2EB35E920C791

                                  Execution Graph

                                  Execution Coverage:3.1%
                                  Dynamic/Decrypted Code Coverage:3.1%
                                  Signature Coverage:0%
                                  Total number of Nodes:545
                                  Total number of Limit Nodes:68
                                  execution_graph 18496 2bd168 18497 2bd17b ___std_exception_copy 18496->18497 18502 2bcf4a 18497->18502 18499 2bd190 18510 2b44dc 18499->18510 18503 2bcf58 18502->18503 18504 2bcf80 18502->18504 18503->18504 18505 2bcf87 18503->18505 18506 2bcf65 18503->18506 18504->18499 18516 2bcea3 18505->18516 18520 2b4723 18506->18520 18509 2bcfbf 18509->18499 18511 2b44e8 18510->18511 18512 2b4587 ___std_exception_copy RtlAllocateHeap 18511->18512 18514 2b44ff 18511->18514 18512->18514 18513 2b4512 18514->18513 18515 2b4587 ___std_exception_copy RtlAllocateHeap 18514->18515 18515->18513 18517 2bceaf __fread_nolock 18516->18517 18527 2bcefe 18517->18527 18519 2bceca 18519->18509 18521 2b4733 18520->18521 18524 2b473a ___std_exception_copy __Getctype 18520->18524 18522 2b4541 ___std_exception_copy RtlAllocateHeap 18521->18522 18522->18524 18523 2b4748 18523->18504 18524->18523 18525 2b46ec ___std_exception_copy RtlAllocateHeap 18524->18525 18526 2b47ac 18525->18526 18526->18504 18534 2c8644 18527->18534 18554 2c8606 18534->18554 18536 2c8655 18537 2bcf16 18536->18537 18561 2c6e2d 18536->18561 18541 2bcfc1 18537->18541 18542 2bcf34 18541->18542 18544 2bcfd3 18541->18544 18550 2c86ef 18542->18550 18543 2bcfe1 18545 2b4723 ___std_exception_copy RtlAllocateHeap 18543->18545 18544->18542 18544->18543 18547 2bd017 std::locale::_Init 18544->18547 18545->18542 18547->18542 18548 2c5f82 __fread_nolock RtlAllocateHeap 18547->18548 18622 2b55d3 18547->18622 18628 2c538b 18547->18628 18548->18547 18551 2c86fa 18550->18551 18553 2bcf40 18550->18553 18552 2b55d3 4 API calls 18551->18552 18551->18553 18552->18553 18553->18519 18555 2c8612 18554->18555 18556 2c863c 18555->18556 18571 2c5f82 18555->18571 18556->18536 18558 2c862d 18578 2d0d44 18558->18578 18560 2c8633 18560->18536 18562 2c6e6b 18561->18562 18563 2c6e3b __Getctype std::_Facet_Register 18561->18563 18565 2bd23f __dosmaperr RtlAllocateHeap 18562->18565 18563->18562 18564 2c6e56 RtlAllocateHeap 18563->18564 18564->18563 18566 2c6e69 18564->18566 18565->18566 18567 2c6db3 18566->18567 18568 2c6de8 18567->18568 18569 2c6dbe __dosmaperr 18567->18569 18568->18537 18569->18568 18570 2bd23f __dosmaperr RtlAllocateHeap 18569->18570 18570->18568 18572 2c5f8e 18571->18572 18573 2c5fa3 18571->18573 18587 2bd23f 18572->18587 18573->18558 18579 2d0d51 18578->18579 18581 2d0d5e 18578->18581 18580 2bd23f __dosmaperr RtlAllocateHeap 18579->18580 18582 2d0d56 18580->18582 18583 2d0d6a 18581->18583 18584 2bd23f __dosmaperr RtlAllocateHeap 18581->18584 18582->18560 18583->18560 18585 2d0d8b 18584->18585 18586 2b47a0 ___std_exception_copy RtlAllocateHeap 18585->18586 18586->18582 18593 2c5d2c 18587->18593 18590 2b47a0 18616 2b46ec 18590->18616 18594 2c5d35 __Getctype 18593->18594 18601 2bd244 18594->18601 18604 2c63f3 18594->18604 18596 2c5d79 __Getctype 18597 2c5db9 18596->18597 18598 2c5d81 __Getctype 18596->18598 18608 2c5a09 18597->18608 18599 2c6db3 __freea RtlAllocateHeap 18598->18599 18599->18601 18601->18590 18603 2c6db3 __freea RtlAllocateHeap 18603->18601 18605 2c6400 __Getctype std::_Facet_Register 18604->18605 18606 2c642b RtlAllocateHeap 18605->18606 18607 2c643e __dosmaperr 18605->18607 18606->18605 18606->18607 18607->18596 18609 2c5a77 __Getctype 18608->18609 18612 2c59af 18609->18612 18611 2c5aa0 18611->18603 18613 2c59bb __fread_nolock std::_Lockit::_Lockit 18612->18613 18614 2c5b90 __Getctype RtlAllocateHeap 18613->18614 18615 2c59dd __Getctype 18614->18615 18615->18611 18617 2b46fe ___std_exception_copy 18616->18617 18618 2b4723 ___std_exception_copy RtlAllocateHeap 18617->18618 18619 2b4716 18618->18619 18620 2b44dc ___std_exception_copy RtlAllocateHeap 18619->18620 18621 2b4721 18620->18621 18621->18558 18623 2b55ec 18622->18623 18627 2b5613 18622->18627 18624 2c5f82 __fread_nolock RtlAllocateHeap 18623->18624 18623->18627 18625 2b5608 18624->18625 18626 2c538b 4 API calls 18625->18626 18626->18627 18627->18547 18629 2c5397 __fread_nolock 18628->18629 18630 2c53d8 18629->18630 18632 2c541e 18629->18632 18634 2c539f 18629->18634 18631 2b4723 ___std_exception_copy RtlAllocateHeap 18630->18631 18631->18634 18632->18634 18635 2c549c 18632->18635 18634->18547 18637 2c54c4 18635->18637 18648 2c54e7 __fread_nolock 18635->18648 18636 2c54c8 18638 2b4723 ___std_exception_copy RtlAllocateHeap 18636->18638 18637->18636 18639 2c5523 18637->18639 18638->18648 18640 2c5541 18639->18640 18654 2be17d 18639->18654 18649 2c4fe1 18640->18649 18644 2c5559 18644->18648 18657 2c4bb2 18644->18657 18645 2c55a0 18646 2c5609 WriteFile 18645->18646 18645->18648 18646->18648 18648->18634 18650 2d0d44 __fread_nolock RtlAllocateHeap 18649->18650 18652 2c4ff3 18650->18652 18651 2c5021 18651->18644 18651->18645 18652->18651 18663 2b9d10 18652->18663 18709 2be05c 18654->18709 18656 2be196 18656->18640 18658 2c4c1a 18657->18658 18659 2b9d10 std::_Locinfo::_Locinfo_dtor 2 API calls 18658->18659 18662 2c4c2b std::locale::_Init std::_Locinfo::_Locinfo_dtor 18658->18662 18659->18662 18660 2c84be RtlAllocateHeap RtlAllocateHeap 18660->18662 18661 2c4ee1 _ValidateLocalCookies 18661->18648 18661->18661 18662->18660 18662->18661 18670 2b4587 18663->18670 18671 2b459a 18670->18671 18672 2b4591 18670->18672 18677 2c5ef3 18671->18677 18685 2b4541 18672->18685 18678 2c5f0a 18677->18678 18679 2b9d3d 18677->18679 18678->18679 18695 2cf4f3 18678->18695 18681 2c5f51 18679->18681 18682 2b9d4a 18681->18682 18683 2c5f68 18681->18683 18682->18651 18683->18682 18704 2cd81e 18683->18704 18686 2b4550 18685->18686 18687 2c5ddd ___std_exception_copy RtlAllocateHeap 18686->18687 18688 2b4572 18687->18688 18688->18671 18689 2c0259 18688->18689 18690 2c025e std::locale::_Setgloballocale 18689->18690 18691 2cc7c6 std::locale::_Setgloballocale RtlAllocateHeap 18690->18691 18694 2c0269 std::locale::_Setgloballocale 18690->18694 18691->18694 18692 2bf224 std::locale::_Setgloballocale RtlAllocateHeap 18693 2c029c 18692->18693 18694->18692 18696 2cf4ff __fread_nolock 18695->18696 18697 2c5bdb __Getctype RtlAllocateHeap 18696->18697 18698 2cf508 std::_Lockit::_Lockit 18697->18698 18699 2cf574 __Getctype RtlAllocateHeap 18698->18699 18701 2cf54e 18698->18701 18700 2cf537 __Getctype 18699->18700 18700->18701 18702 2c0259 __Getctype RtlAllocateHeap 18700->18702 18701->18679 18703 2cf573 18702->18703 18705 2c5bdb __Getctype RtlAllocateHeap 18704->18705 18706 2cd823 18705->18706 18707 2cd736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 18706->18707 18708 2cd82e 18707->18708 18708->18682 18714 2ca6de 18709->18714 18711 2be06e 18712 2be08a SetFilePointerEx 18711->18712 18713 2be076 __fread_nolock 18711->18713 18712->18713 18713->18656 18715 2ca6eb 18714->18715 18716 2ca700 18714->18716 18727 2bd22c 18715->18727 18719 2bd22c __dosmaperr RtlAllocateHeap 18716->18719 18721 2ca725 18716->18721 18722 2ca730 18719->18722 18720 2bd23f __dosmaperr RtlAllocateHeap 18723 2ca6f8 18720->18723 18721->18711 18724 2bd23f __dosmaperr RtlAllocateHeap 18722->18724 18723->18711 18725 2ca738 18724->18725 18726 2b47a0 ___std_exception_copy RtlAllocateHeap 18725->18726 18726->18723 18728 2c5d2c __dosmaperr RtlAllocateHeap 18727->18728 18729 2bd231 18728->18729 18729->18720 19148 4d306d6 19149 4d306f1 GetCurrentHwProfileW 19148->19149 19151 4d308bb 19149->19151 18730 1da210 18763 2af290 18730->18763 18732 1da248 18768 1d2ae0 18732->18768 18734 1da28b 18784 2b5362 18734->18784 18739 1da34e 18743 1da377 18739->18743 18813 2b47b0 18739->18813 18744 2b9136 4 API calls 18745 1da2fc 18744->18745 18750 1da318 18745->18750 18799 23cf60 18745->18799 18804 2bdbdf 18750->18804 18765 1d21d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 18763->18765 18764 2af2af 18764->18732 18765->18764 18816 2b0651 18765->18816 18769 1d2ba5 18768->18769 18775 1d2af6 18768->18775 18834 1d2270 18769->18834 18770 1d2b02 std::locale::_Init 18770->18734 18772 1d2b2a 18776 2af290 std::_Facet_Register RtlAllocateHeap 18772->18776 18773 1d2baa 18844 1d21d0 18773->18844 18775->18770 18775->18772 18778 1d2b6e 18775->18778 18779 1d2b65 18775->18779 18777 1d2b3d 18776->18777 18780 2b47b0 RtlAllocateHeap 18777->18780 18783 1d2b46 std::locale::_Init 18777->18783 18781 2af290 std::_Facet_Register RtlAllocateHeap 18778->18781 18778->18783 18779->18772 18779->18773 18782 1d2bb4 18780->18782 18781->18783 18783->18734 18857 2b52a0 18784->18857 18786 1da2d7 18786->18739 18787 2b9136 18786->18787 18788 2b9149 ___std_exception_copy 18787->18788 18881 2b8e8d 18788->18881 18790 2b915e 18791 2b44dc ___std_exception_copy RtlAllocateHeap 18790->18791 18792 1da2ea 18791->18792 18793 2b4eeb 18792->18793 18794 2b4efe ___std_exception_copy 18793->18794 18907 2b4801 18794->18907 18796 2b4f0a 18797 2b44dc ___std_exception_copy RtlAllocateHeap 18796->18797 18798 1da2f0 18797->18798 18798->18744 18800 23cfa7 18799->18800 18803 23cf78 __fread_nolock 18799->18803 18955 240560 18800->18955 18802 23cfba 18802->18750 18803->18750 18970 2bdbfc 18804->18970 18806 1da348 18807 2b8be8 18806->18807 18808 2b8bfb ___std_exception_copy 18807->18808 19088 2b8ac3 18808->19088 18810 2b8c07 18811 2b44dc ___std_exception_copy RtlAllocateHeap 18810->18811 18812 2b8c13 18811->18812 18812->18739 18814 2b46ec ___std_exception_copy RtlAllocateHeap 18813->18814 18815 2b47bf __Getctype 18814->18815 18817 2b065e ___std_exception_copy 18816->18817 18821 1d2213 18816->18821 18818 2b068b 18817->18818 18817->18821 18822 2c56b8 18817->18822 18831 2bd7d6 18818->18831 18821->18732 18823 2c56c6 18822->18823 18824 2c56d4 18822->18824 18823->18824 18829 2c56ec 18823->18829 18825 2bd23f __dosmaperr RtlAllocateHeap 18824->18825 18826 2c56dc 18825->18826 18827 2b47a0 ___std_exception_copy RtlAllocateHeap 18826->18827 18828 2c56e6 18827->18828 18828->18818 18829->18828 18830 2bd23f __dosmaperr RtlAllocateHeap 18829->18830 18830->18826 18832 2c6db3 __freea RtlAllocateHeap 18831->18832 18833 2bd7ee 18832->18833 18833->18821 18848 2ad6e9 18834->18848 18845 1d21de Concurrency::cancel_current_task 18844->18845 18846 2b0651 ___std_exception_copy RtlAllocateHeap 18845->18846 18847 1d2213 18846->18847 18847->18777 18851 2ad4af 18848->18851 18850 2ad6fa Concurrency::cancel_current_task 18854 1d3010 18851->18854 18855 2b0651 ___std_exception_copy RtlAllocateHeap 18854->18855 18856 1d303d 18855->18856 18856->18850 18860 2b52ac __fread_nolock 18857->18860 18858 2b52b3 18859 2bd23f __dosmaperr RtlAllocateHeap 18858->18859 18862 2b52b8 18859->18862 18860->18858 18861 2b52d3 18860->18861 18863 2b52d8 18861->18863 18864 2b52e5 18861->18864 18865 2b47a0 ___std_exception_copy RtlAllocateHeap 18862->18865 18866 2bd23f __dosmaperr RtlAllocateHeap 18863->18866 18871 2c6688 18864->18871 18868 2b52c3 18865->18868 18866->18868 18868->18786 18869 2b52ee 18869->18868 18870 2bd23f __dosmaperr RtlAllocateHeap 18869->18870 18870->18868 18872 2c6694 __fread_nolock std::_Lockit::_Lockit 18871->18872 18875 2c672c 18872->18875 18874 2c66af 18874->18869 18877 2c674f __fread_nolock 18875->18877 18876 2c63f3 __Getctype RtlAllocateHeap 18878 2c67b0 18876->18878 18877->18876 18880 2c6795 __fread_nolock 18877->18880 18879 2c6db3 __freea RtlAllocateHeap 18878->18879 18879->18880 18880->18874 18884 2b8e99 __fread_nolock 18881->18884 18882 2b8e9f 18883 2b4723 ___std_exception_copy RtlAllocateHeap 18882->18883 18887 2b8eba 18883->18887 18884->18882 18885 2b8ee2 __fread_nolock 18884->18885 18888 2b9010 18885->18888 18887->18790 18889 2b9023 18888->18889 18890 2b9036 18888->18890 18889->18887 18897 2b8f37 18890->18897 18892 2b9059 18893 2b55d3 4 API calls 18892->18893 18896 2b90e7 18892->18896 18894 2b9087 18893->18894 18895 2be17d 2 API calls 18894->18895 18895->18896 18896->18887 18898 2b8f48 18897->18898 18900 2b8fa0 18897->18900 18898->18900 18901 2be13d 18898->18901 18900->18892 18902 2be151 ___std_exception_copy 18901->18902 18903 2be05c __fread_nolock 2 API calls 18902->18903 18904 2be166 18903->18904 18905 2b44dc ___std_exception_copy RtlAllocateHeap 18904->18905 18906 2be175 18905->18906 18906->18900 18908 2b480d __fread_nolock 18907->18908 18909 2b4835 __fread_nolock 18908->18909 18910 2b4814 18908->18910 18914 2b4910 18909->18914 18911 2b4723 ___std_exception_copy RtlAllocateHeap 18910->18911 18913 2b482d 18911->18913 18913->18796 18917 2b4942 18914->18917 18916 2b4922 18916->18913 18918 2b4979 18917->18918 18919 2b4951 18917->18919 18921 2c5f82 __fread_nolock RtlAllocateHeap 18918->18921 18920 2b4723 ___std_exception_copy RtlAllocateHeap 18919->18920 18929 2b496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18920->18929 18922 2b4982 18921->18922 18930 2be11f 18922->18930 18925 2b4a2c 18933 2b4cae 18925->18933 18927 2b4a43 18927->18929 18941 2b4ae3 18927->18941 18929->18916 18948 2bdf37 18930->18948 18932 2b49a0 18932->18925 18932->18927 18932->18929 18934 2b4cbd 18933->18934 18935 2c5f82 __fread_nolock RtlAllocateHeap 18934->18935 18936 2b4cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18935->18936 18937 2be11f 2 API calls 18936->18937 18940 2b4ce5 _ValidateLocalCookies 18936->18940 18938 2b4d39 18937->18938 18939 2be11f 2 API calls 18938->18939 18938->18940 18939->18940 18940->18929 18942 2c5f82 __fread_nolock RtlAllocateHeap 18941->18942 18943 2b4af6 18942->18943 18944 2be11f 2 API calls 18943->18944 18947 2b4b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18943->18947 18945 2b4b9d 18944->18945 18946 2be11f 2 API calls 18945->18946 18945->18947 18946->18947 18947->18929 18949 2bdf43 __fread_nolock 18948->18949 18950 2bdf86 18949->18950 18952 2bdfcc 18949->18952 18954 2bdf4b 18949->18954 18951 2b4723 ___std_exception_copy RtlAllocateHeap 18950->18951 18951->18954 18953 2be05c __fread_nolock 2 API calls 18952->18953 18952->18954 18953->18954 18954->18932 18956 2406a9 18955->18956 18960 240585 18955->18960 18957 1d2270 RtlAllocateHeap 18956->18957 18958 2406ae 18957->18958 18959 1d21d0 Concurrency::cancel_current_task RtlAllocateHeap 18958->18959 18968 2405aa __fread_nolock std::locale::_Init 18959->18968 18961 2405f0 18960->18961 18962 2405e3 18960->18962 18964 24059a 18960->18964 18966 2af290 std::_Facet_Register RtlAllocateHeap 18961->18966 18961->18968 18962->18958 18962->18964 18963 2af290 std::_Facet_Register RtlAllocateHeap 18963->18968 18964->18963 18965 2b47b0 RtlAllocateHeap 18967 2406b8 18965->18967 18966->18968 18968->18965 18969 240667 __fread_nolock std::locale::_Init 18968->18969 18969->18802 18972 2bdc08 __fread_nolock 18970->18972 18971 2bdc40 __fread_nolock 18971->18806 18972->18971 18973 2bdc52 __fread_nolock 18972->18973 18977 2bdc1b __fread_nolock 18972->18977 18979 2bda06 18973->18979 18974 2bd23f __dosmaperr RtlAllocateHeap 18975 2bdc35 18974->18975 18978 2b47a0 ___std_exception_copy RtlAllocateHeap 18975->18978 18977->18974 18978->18971 18980 2bda35 18979->18980 18983 2bda18 __fread_nolock 18979->18983 18980->18971 18981 2bda25 18982 2bd23f __dosmaperr RtlAllocateHeap 18981->18982 18990 2bda2a 18982->18990 18983->18980 18983->18981 18985 2bda76 __fread_nolock 18983->18985 18984 2b47a0 ___std_exception_copy RtlAllocateHeap 18984->18980 18985->18980 18987 2c5f82 __fread_nolock RtlAllocateHeap 18985->18987 18988 2bdba1 __fread_nolock 18985->18988 18992 2c4623 18985->18992 19051 2b8a2b 18985->19051 18987->18985 18989 2bd23f __dosmaperr RtlAllocateHeap 18988->18989 18989->18990 18990->18984 18993 2c464d 18992->18993 18994 2c4635 18992->18994 18996 2c498f 18993->18996 19002 2c4690 18993->19002 18995 2bd22c __dosmaperr RtlAllocateHeap 18994->18995 18997 2c463a 18995->18997 18998 2bd22c __dosmaperr RtlAllocateHeap 18996->18998 18999 2bd23f __dosmaperr RtlAllocateHeap 18997->18999 19000 2c4994 18998->19000 19006 2c4642 18999->19006 19003 2bd23f __dosmaperr RtlAllocateHeap 19000->19003 19001 2c469b 19004 2bd22c __dosmaperr RtlAllocateHeap 19001->19004 19002->19001 19002->19006 19008 2c46cb 19002->19008 19005 2c46a8 19003->19005 19007 2c46a0 19004->19007 19010 2b47a0 ___std_exception_copy RtlAllocateHeap 19005->19010 19006->18985 19009 2bd23f __dosmaperr RtlAllocateHeap 19007->19009 19011 2c46e4 19008->19011 19012 2c471f 19008->19012 19013 2c46f1 19008->19013 19009->19005 19010->19006 19011->19013 19020 2c470d 19011->19020 19016 2c6e2d __fread_nolock 2 API calls 19012->19016 19014 2bd22c __dosmaperr RtlAllocateHeap 19013->19014 19015 2c46f6 19014->19015 19018 2bd23f __dosmaperr RtlAllocateHeap 19015->19018 19017 2c4730 19016->19017 19021 2c6db3 __freea RtlAllocateHeap 19017->19021 19022 2c46fd 19018->19022 19019 2d0d44 __fread_nolock RtlAllocateHeap 19036 2c486b 19019->19036 19020->19019 19023 2c4739 19021->19023 19024 2b47a0 ___std_exception_copy RtlAllocateHeap 19022->19024 19025 2c6db3 __freea RtlAllocateHeap 19023->19025 19050 2c4708 __fread_nolock 19024->19050 19027 2c4740 19025->19027 19026 2c48e3 ReadFile 19028 2c48fb 19026->19028 19029 2c4957 19026->19029 19031 2c474a 19027->19031 19032 2c4765 19027->19032 19028->19029 19030 2c48d4 19028->19030 19037 2c4964 19029->19037 19047 2c48b5 19029->19047 19041 2c4937 19030->19041 19042 2c4920 19030->19042 19030->19050 19033 2bd23f __dosmaperr RtlAllocateHeap 19031->19033 19035 2be13d __fread_nolock 2 API calls 19032->19035 19038 2c474f 19033->19038 19034 2c6db3 __freea RtlAllocateHeap 19034->19006 19035->19020 19036->19026 19039 2c489b 19036->19039 19040 2bd23f __dosmaperr RtlAllocateHeap 19037->19040 19043 2bd22c __dosmaperr RtlAllocateHeap 19038->19043 19039->19030 19039->19047 19044 2c4969 19040->19044 19041->19050 19080 2c417b 19041->19080 19070 2c4335 19042->19070 19043->19050 19048 2bd22c __dosmaperr RtlAllocateHeap 19044->19048 19047->19050 19065 2bd1e5 19047->19065 19048->19050 19050->19034 19052 2b8a3c 19051->19052 19056 2b8a38 std::locale::_Init 19051->19056 19053 2b8a43 19052->19053 19058 2b8a56 __fread_nolock 19052->19058 19054 2bd23f __dosmaperr RtlAllocateHeap 19053->19054 19055 2b8a48 19054->19055 19057 2b47a0 ___std_exception_copy RtlAllocateHeap 19055->19057 19056->18985 19057->19056 19058->19056 19059 2b8a84 19058->19059 19061 2b8a8d 19058->19061 19060 2bd23f __dosmaperr RtlAllocateHeap 19059->19060 19063 2b8a89 19060->19063 19061->19056 19062 2bd23f __dosmaperr RtlAllocateHeap 19061->19062 19062->19063 19064 2b47a0 ___std_exception_copy RtlAllocateHeap 19063->19064 19064->19056 19066 2bd22c __dosmaperr RtlAllocateHeap 19065->19066 19067 2bd1f0 __dosmaperr 19066->19067 19068 2bd23f __dosmaperr RtlAllocateHeap 19067->19068 19069 2bd203 19068->19069 19069->19050 19084 2c402e 19070->19084 19072 2c43d7 19077 2c4391 __fread_nolock 19072->19077 19078 2be13d __fread_nolock 2 API calls 19072->19078 19073 2c43c7 19075 2bd23f __dosmaperr RtlAllocateHeap 19073->19075 19076 2c437d 19075->19076 19076->19050 19077->19076 19079 2bd1e5 __dosmaperr RtlAllocateHeap 19077->19079 19078->19077 19079->19076 19081 2c41b5 19080->19081 19082 2c4246 19081->19082 19083 2be13d __fread_nolock 2 API calls 19081->19083 19082->19050 19083->19082 19085 2c4062 19084->19085 19086 2c40ce 19085->19086 19087 2be13d __fread_nolock 2 API calls 19085->19087 19086->19072 19086->19073 19086->19076 19086->19077 19087->19086 19089 2b8acf __fread_nolock 19088->19089 19090 2b8ad9 19089->19090 19093 2b8afc __fread_nolock 19089->19093 19091 2b4723 ___std_exception_copy RtlAllocateHeap 19090->19091 19092 2b8af4 19091->19092 19092->18810 19093->19092 19095 2b8b5a 19093->19095 19096 2b8b8a 19095->19096 19097 2b8b67 19095->19097 19099 2b8b82 19096->19099 19100 2b55d3 4 API calls 19096->19100 19098 2b4723 ___std_exception_copy RtlAllocateHeap 19097->19098 19098->19099 19099->19092 19101 2b8ba2 19100->19101 19109 2c6ded 19101->19109 19104 2c5f82 __fread_nolock RtlAllocateHeap 19105 2b8bb6 19104->19105 19113 2c4a3f 19105->19113 19108 2c6db3 __freea RtlAllocateHeap 19108->19099 19110 2b8baa 19109->19110 19111 2c6e04 19109->19111 19110->19104 19111->19110 19112 2c6db3 __freea RtlAllocateHeap 19111->19112 19112->19110 19115 2c4a68 19113->19115 19117 2b8bbd 19113->19117 19114 2c4ab7 19116 2b4723 ___std_exception_copy RtlAllocateHeap 19114->19116 19115->19114 19118 2c4a8f 19115->19118 19116->19117 19117->19099 19117->19108 19120 2c49ae 19118->19120 19121 2c49ba __fread_nolock 19120->19121 19122 2c49f9 19121->19122 19124 2c4b12 19121->19124 19122->19117 19125 2ca6de __fread_nolock RtlAllocateHeap 19124->19125 19126 2c4b22 19125->19126 19128 2ca6de __fread_nolock RtlAllocateHeap 19126->19128 19133 2c4b28 19126->19133 19135 2c4b5a 19126->19135 19130 2c4b51 19128->19130 19129 2ca6de __fread_nolock RtlAllocateHeap 19131 2c4b66 FindCloseChangeNotification 19129->19131 19132 2ca6de __fread_nolock RtlAllocateHeap 19130->19132 19131->19133 19132->19135 19136 2ca64d 19133->19136 19134 2c4b80 __fread_nolock 19134->19122 19135->19129 19135->19133 19137 2ca65c 19136->19137 19138 2bd23f __dosmaperr RtlAllocateHeap 19137->19138 19141 2ca686 19137->19141 19139 2ca6c8 19138->19139 19140 2bd22c __dosmaperr RtlAllocateHeap 19139->19140 19140->19141 19141->19134 18484 4d308c1 18485 4d308c7 18484->18485 18486 4d3085f 18484->18486 18486->18485 18487 4d30895 GetCurrentHwProfileW 18486->18487 18488 4d308bb 18487->18488 20204 4d3084e 20205 4d3083c 20204->20205 20206 4d3085b GetCurrentHwProfileW 20204->20206 20208 4d308bb 20206->20208 18489 233a40 18492 233a55 18489->18492 18490 233b28 GetPEB 18490->18492 18491 233a73 GetPEB 18491->18492 18492->18490 18492->18491 18493 233b9d Sleep 18492->18493 18494 233ae8 Sleep 18492->18494 18495 233bc7 18492->18495 18493->18492 18494->18492 20094 4d306a7 20096 4d306b2 20094->20096 20095 4d30675 20096->20095 20097 4d30895 GetCurrentHwProfileW 20096->20097 20098 4d308bb 20097->20098 19142 1ee0a0 WSAStartup 19143 1ee0d8 19142->19143 19147 1ee1a7 19142->19147 19144 1ee175 socket 19143->19144 19143->19147 19145 1ee18b connect 19144->19145 19144->19147 19146 1ee19d closesocket 19145->19146 19145->19147 19146->19144 19146->19147

                                  Executed Functions

                                  Function 00233A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 177 233a40-233a52 178 233a55-233a61 177->178 180 233a67-233a6d 178->180 181 233b28-233b31 GetPEB 178->181 180->181 183 233a73-233a7f GetPEB 180->183 182 233b34-233b48 181->182 184 233b4a-233b4f 182->184 185 233b99-233b9b 182->185 186 233a80-233a94 183->186 184->185 187 233b51-233b59 184->187 185->182 188 233a96-233a9b 186->188 189 233ae4-233ae6 186->189 190 233b60-233b73 187->190 188->189 191 233a9d-233aa3 188->191 189->186 192 233b92-233b97 190->192 193 233b75-233b88 190->193 194 233aa5-233ab8 191->194 192->185 192->190 193->193 195 233b8a-233b90 193->195 196 233aba 194->196 197 233add-233ae2 194->197 195->192 198 233b9d-233bc2 Sleep 195->198 199 233ac0-233ad3 196->199 197->189 197->194 198->178 199->199 200 233ad5-233adb 199->200 200->197 201 233ae8-233b0d Sleep 200->201 202 233b13-233b1a 201->202 202->181 203 233b1c-233b22 202->203 203->181 204 233bc7-233bd8 call 1d6bd0 203->204 207 233bda-233bdc 204->207 208 233bde 204->208 209 233be0-233bfd call 1d6bd0 207->209 208->209
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00233DB6), ref: 00233B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00233DB6), ref: 00233BBA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 24de12ac09f3f57f502f9bf76acc82240d4407c0448c2b68dfb6d879352f2e33
                                  • Instruction ID: de360339753a3688c90de5653b3cb91dae84d5020feff21c708c09f340bd0124
                                  • Opcode Fuzzy Hash: 24de12ac09f3f57f502f9bf76acc82240d4407c0448c2b68dfb6d879352f2e33
                                  • Instruction Fuzzy Hash: 2051A775A1421A8FCB24CF58C8D0EAAF7B2EF45708F29859AD485AB351D731EF15CB80
                                  Function 001EE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 1ee0a0-1ee0d2 WSAStartup 1 1ee0d8-1ee102 call 1d6bd0 * 2 0->1 2 1ee1b7-1ee1c0 0->2 7 1ee10e-1ee165 1->7 8 1ee104-1ee108 1->8 10 1ee167-1ee16d 7->10 11 1ee1b1-1ee1b6 7->11 8->2 8->7 12 1ee16f 10->12 13 1ee1c5-1ee1cf 10->13 11->2 14 1ee175-1ee189 socket 12->14 13->11 18 1ee1d1-1ee1d9 13->18 14->11 17 1ee18b-1ee19b connect 14->17 19 1ee19d-1ee1a5 closesocket 17->19 20 1ee1c1 17->20 19->14 21 1ee1a7-1ee1ab 19->21 20->13 21->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 3489dc81adaf24d9292dca29feae92c5b61d4a9a0dc585e20c034065082e13b6
                                  • Instruction ID: f291587fa8e318a6e5beebc1eee1f7e9be29a0e780e3334bc130a80039aac3df
                                  • Opcode Fuzzy Hash: 3489dc81adaf24d9292dca29feae92c5b61d4a9a0dc585e20c034065082e13b6
                                  • Instruction Fuzzy Hash: 7931B071605700ABD7219F698C85B2FB7E4EB85324F015F1DF9A8922E0D33198488B92
                                  Function 002B4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 2b4942-2b494f 23 2b4979-2b498d call 2c5f82 22->23 24 2b4951-2b4974 call 2b4723 22->24 30 2b498f 23->30 31 2b4992-2b499b call 2be11f 23->31 29 2b4ae0-2b4ae2 24->29 30->31 33 2b49a0-2b49af 31->33 34 2b49bf-2b49c8 33->34 35 2b49b1 33->35 38 2b49ca-2b49d7 34->38 39 2b49dc-2b4a10 34->39 36 2b4a89-2b4a8e 35->36 37 2b49b7-2b49b9 35->37 40 2b4ade-2b4adf 36->40 37->34 37->36 41 2b4adc 38->41 42 2b4a6d-2b4a79 39->42 43 2b4a12-2b4a1c 39->43 40->29 41->40 44 2b4a7b-2b4a82 42->44 45 2b4a90-2b4a93 42->45 46 2b4a1e-2b4a2a 43->46 47 2b4a43-2b4a4f 43->47 44->36 48 2b4a96-2b4a9e 45->48 46->47 49 2b4a2c-2b4a3e call 2b4cae 46->49 47->45 50 2b4a51-2b4a6b call 2b4e59 47->50 51 2b4ada 48->51 52 2b4aa0-2b4aa6 48->52 49->40 50->48 51->41 55 2b4aa8-2b4abc call 2b4ae3 52->55 56 2b4abe-2b4ac2 52->56 55->40 60 2b4ad5-2b4ad7 56->60 61 2b4ac4-2b4ad2 call 2d4a10 56->61 60->51 61->60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O+
                                  • API String ID: 0-697038414
                                  • Opcode ID: e021ecfa5ae017e001fb840f4414eb879ae0bf42ed5c1816f6b4ffe798e2c149
                                  • Instruction ID: 3d59fa5a25dffccc328096298d04b9be64e953d814d56c4d2afc959d9de2488e
                                  • Opcode Fuzzy Hash: e021ecfa5ae017e001fb840f4414eb879ae0bf42ed5c1816f6b4ffe798e2c149
                                  • Instruction Fuzzy Hash: F451E530A10108AFDB14EF58CCD5AEABBB5EF49394F248159F8499B253D371AE61CB90
                                  Function 002C4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 65 2c4623-2c4633 66 2c464d-2c464f 65->66 67 2c4635-2c4648 call 2bd22c call 2bd23f 65->67 69 2c498f-2c499c call 2bd22c call 2bd23f 66->69 70 2c4655-2c465b 66->70 81 2c49a7 67->81 88 2c49a2 call 2b47a0 69->88 70->69 72 2c4661-2c468a 70->72 72->69 75 2c4690-2c4699 72->75 78 2c469b-2c46ae call 2bd22c call 2bd23f 75->78 79 2c46b3-2c46b5 75->79 78->88 84 2c498b-2c498d 79->84 85 2c46bb-2c46bf 79->85 86 2c49aa-2c49ad 81->86 84->86 85->84 89 2c46c5-2c46c9 85->89 88->81 89->78 90 2c46cb-2c46e2 89->90 93 2c46e4-2c46e7 90->93 94 2c4717-2c471d 90->94 96 2c470d-2c4715 93->96 97 2c46e9-2c46ef 93->97 98 2c471f-2c4726 94->98 99 2c46f1-2c4708 call 2bd22c call 2bd23f call 2b47a0 94->99 101 2c478a-2c47a9 96->101 97->96 97->99 102 2c4728 98->102 103 2c472a-2c4748 call 2c6e2d call 2c6db3 * 2 98->103 128 2c48c2 99->128 105 2c47af-2c47bb 101->105 106 2c4865-2c486e call 2d0d44 101->106 102->103 133 2c474a-2c4760 call 2bd23f call 2bd22c 103->133 134 2c4765-2c4788 call 2be13d 103->134 105->106 111 2c47c1-2c47c3 105->111 119 2c48df 106->119 120 2c4870-2c4882 106->120 111->106 112 2c47c9-2c47ea 111->112 112->106 116 2c47ec-2c4802 112->116 116->106 121 2c4804-2c4806 116->121 125 2c48e3-2c48f9 ReadFile 119->125 120->119 124 2c4884-2c4893 120->124 121->106 126 2c4808-2c482b 121->126 124->119 143 2c4895-2c4899 124->143 129 2c48fb-2c4901 125->129 130 2c4957-2c4962 125->130 126->106 132 2c482d-2c4843 126->132 135 2c48c5-2c48cf call 2c6db3 128->135 129->130 131 2c4903 129->131 144 2c497b-2c497e 130->144 145 2c4964-2c4976 call 2bd23f call 2bd22c 130->145 138 2c4906-2c4918 131->138 132->106 139 2c4845-2c4847 132->139 133->128 134->101 135->86 138->135 146 2c491a-2c491e 138->146 139->106 147 2c4849-2c4860 139->147 143->125 151 2c489b-2c48b3 143->151 155 2c48bb-2c48c1 call 2bd1e5 144->155 156 2c4984-2c4986 144->156 145->128 153 2c4937-2c4944 146->153 154 2c4920-2c4930 call 2c4335 146->154 147->106 165 2c48d4-2c48dd 151->165 166 2c48b5-2c48ba 151->166 162 2c4946 call 2c448c 153->162 163 2c4950-2c4955 call 2c417b 153->163 173 2c4933-2c4935 154->173 155->128 156->135 174 2c494b-2c494e 162->174 163->174 165->138 166->155 173->135 174->173
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b8189d2cf87a96a617585a0c2314e7e12f4ff5f30a8954ba4bbbccc2227803a
                                  • Instruction ID: 2cf09bdf4e12e0af5edd5ee7b8f6752c61fc2aa8107ef0f91624d4c603c6cca8
                                  • Opcode Fuzzy Hash: 0b8189d2cf87a96a617585a0c2314e7e12f4ff5f30a8954ba4bbbccc2227803a
                                  • Instruction Fuzzy Hash: 60B1F170A20286AFDB11EFA8D861FAFBBB5AF45310F14435DE844A7286C7709D61CF60
                                  Function 001DA210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 212 1da210-1da2ab call 2af290 call 1d2ae0 217 1da2b0-1da2bb 212->217 217->217 218 1da2bd-1da2c8 217->218 219 1da2cd-1da2de call 2b5362 218->219 220 1da2ca 218->220 223 1da351-1da357 219->223 224 1da2e0-1da305 call 2b9136 call 2b4eeb call 2b9136 219->224 220->219 226 1da359-1da365 223->226 227 1da381-1da393 223->227 242 1da30c-1da316 224->242 243 1da307 224->243 229 1da377-1da37e call 2af511 226->229 230 1da367-1da375 226->230 229->227 230->229 232 1da394-1da3ae call 2b47b0 230->232 239 1da3b0-1da3bb 232->239 239->239 241 1da3bd-1da3c8 239->241 244 1da3cd-1da3df call 2b5362 241->244 245 1da3ca 241->245 246 1da328-1da32f call 23cf60 242->246 247 1da318-1da31c 242->247 243->242 256 1da3fc-1da403 244->256 257 1da3e1-1da3f9 call 2b9136 call 2b4eeb call 2b8be8 244->257 245->244 252 1da334-1da33a 246->252 250 1da31e 247->250 251 1da320-1da326 247->251 250->251 251->252 254 1da33c 252->254 255 1da33e-1da349 call 2bdbdf call 2b8be8 252->255 254->255 272 1da34e 255->272 258 1da42d-1da433 256->258 259 1da405-1da411 256->259 257->256 262 1da423-1da42a call 2af511 259->262 263 1da413-1da421 259->263 262->258 263->262 266 1da434-1da45e call 2b47b0 263->266 279 1da46f-1da474 266->279 280 1da460-1da464 266->280 272->223 280->279 281 1da466-1da46e 280->281
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 2016b29eb16f461fe01688964d1904b08abd69c9c24ee5b225ea84c2916cbab6
                                  • Instruction ID: eab2c6aa61fb6b8eee7820578754384f86a6f228e33011d8add4a83a30880969
                                  • Opcode Fuzzy Hash: 2016b29eb16f461fe01688964d1904b08abd69c9c24ee5b225ea84c2916cbab6
                                  • Instruction Fuzzy Hash: DA716871910204AFDB14DF68CC49BAEB7E9EF41340F54856EF8089B382D7B5DA41CB92
                                  Function 002C549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 282 2c549c-2c54be 283 2c54c4-2c54c6 282->283 284 2c56b1 282->284 286 2c54c8-2c54e7 call 2b4723 283->286 287 2c54f2-2c5515 283->287 285 2c56b3-2c56b7 284->285 295 2c54ea-2c54ed 286->295 288 2c551b-2c5521 287->288 289 2c5517-2c5519 287->289 288->286 291 2c5523-2c5534 288->291 289->288 289->291 293 2c5536-2c5544 call 2be17d 291->293 294 2c5547-2c5557 call 2c4fe1 291->294 293->294 300 2c5559-2c555f 294->300 301 2c55a0-2c55b2 294->301 295->285 304 2c5588-2c559e call 2c4bb2 300->304 305 2c5561-2c5564 300->305 302 2c5609-2c5629 WriteFile 301->302 303 2c55b4-2c55ba 301->303 306 2c562b-2c5631 302->306 307 2c5634 302->307 309 2c55bc-2c55bf 303->309 310 2c55f5-2c5607 call 2c505e 303->310 322 2c5581-2c5583 304->322 311 2c556f-2c557e call 2c4f79 305->311 312 2c5566-2c5569 305->312 306->307 314 2c5637-2c5642 307->314 315 2c55e1-2c55f3 call 2c5222 309->315 316 2c55c1-2c55c4 309->316 329 2c55dc-2c55df 310->329 311->322 312->311 317 2c5649-2c564c 312->317 323 2c56ac-2c56af 314->323 324 2c5644-2c5647 314->324 315->329 325 2c564f-2c5651 316->325 326 2c55ca-2c55d7 call 2c5139 316->326 317->325 322->314 323->285 324->317 331 2c567f-2c568b 325->331 332 2c5653-2c5658 325->332 326->329 329->322 334 2c568d-2c5693 331->334 335 2c5695-2c56a7 331->335 336 2c565a-2c566c 332->336 337 2c5671-2c567a call 2bd208 332->337 334->284 334->335 335->295 336->295 337->295
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,002B9087,?,00000000,00000000,00000000,?,00000000,?,001DA3EB,002B9087,00000000,001DA3EB,?,?), ref: 002C5621
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 5c4956ce1ce70b95bf2fa14bc58b42b1a5b129fe24b3fa56f1241c556825091f
                                  • Instruction ID: feb93cc77dc3ebffd7f53603ceff20df8f1213fe97ad1627bdf65882ea4d6ffd
                                  • Opcode Fuzzy Hash: 5c4956ce1ce70b95bf2fa14bc58b42b1a5b129fe24b3fa56f1241c556825091f
                                  • Instruction Fuzzy Hash: F961C871D2052AAFDF15DFA8C844FEEBBB9AF05344F54024DE804A7215D371E9A1CBA0
                                  Function 04D306A7 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 340 4d306a7-4d306b2 call 4d306c4 343 4d30677-4d30691 340->343 344 4d306b4-4d306b5 340->344 349 4d306a1 343->349 346 4d306b7-4d3086d 344->346 347 4d30675 344->347 368 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 346->368 347->343 349->349 371 4d308bb call 4d308ce 368->371
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: dffe6d529be76e33aa991987ac531bf397ffe6f32bb7245fba4311e6cdbc5302
                                  • Instruction ID: a68ff5c160c1a24ebae246f5b18276a3199dbe7d45fbd2270fd5128d7243010b
                                  • Opcode Fuzzy Hash: dffe6d529be76e33aa991987ac531bf397ffe6f32bb7245fba4311e6cdbc5302
                                  • Instruction Fuzzy Hash: 242136E730D214BEB103A1462B50AF7272DE6C2772730843AF4C7D1109F294EE4A7472
                                  Function 00240560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 373 240560-24057f 374 240585-240598 373->374 375 2406a9 call 1d2270 373->375 376 2405c0-2405c8 374->376 377 24059a 374->377 380 2406ae call 1d21d0 375->380 381 2405d1-2405d5 376->381 382 2405ca-2405cf 376->382 379 24059c-2405a1 377->379 383 2405a4-2405a5 call 2af290 379->383 390 2406b3-2406b8 call 2b47b0 380->390 385 2405d7 381->385 386 2405d9-2405e1 381->386 382->379 394 2405aa-2405af 383->394 385->386 387 2405f0-2405f2 386->387 388 2405e3-2405e8 386->388 392 2405f4-2405ff call 2af290 387->392 393 240601 387->393 388->380 391 2405ee 388->391 391->383 397 240603-240629 392->397 393->397 394->390 398 2405b5-2405be 394->398 401 240680-2406a6 call 2b0f70 call 2b14f0 397->401 402 24062b-240655 call 2b0f70 call 2b14f0 397->402 398->397 411 240657-240665 402->411 412 240669-24067d call 2af511 402->412 411->390 414 240667 411->414 414->412
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 002406AE
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: a1c8e622623835b998cf8cc06c1d61e46e000331704331033eb58043c80a4e0b
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: FD41E372A101149BCB19EF68D9C06AE7BA9EF89350F550169FD05DB302DB70DDB08BE1
                                  Function 04D306FD Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 416 4d306fd-4d3086d 434 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 416->434 437 4d308bb call 4d308ce 434->437
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 539d4df8d0f13a4c70d1df591c0ef0ef5d6bd694fbcfa514fcc8dbd4de11b311
                                  • Instruction ID: 76cabbce488ea4d187baf6946024b82094c610c0f0af3cdfb5b3387ac1395e0b
                                  • Opcode Fuzzy Hash: 539d4df8d0f13a4c70d1df591c0ef0ef5d6bd694fbcfa514fcc8dbd4de11b311
                                  • Instruction Fuzzy Hash: 8D2127E630D214BDB24395562B54AFB6B2DEBC6772730843AF887C0109F294EE4D7471
                                  Function 04D306E5 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 439 4d306e5-4d3086d 457 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 439->457 460 4d308bb call 4d308ce 457->460
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: c1677afbc1260da3c4cf1ec071d3aa66da41adef7170653e5c159c9aebba3dd1
                                  • Instruction ID: 7184d1f30aa1d81db2a7cff8f68f5bc6739be4e32385b728b49189a002b7ebb6
                                  • Opcode Fuzzy Hash: c1677afbc1260da3c4cf1ec071d3aa66da41adef7170653e5c159c9aebba3dd1
                                  • Instruction Fuzzy Hash: 152138EB30D214BDB243A1562B84AF7666EE7C2732730803AF487C110AF284EE4D7471
                                  Function 04D306D6 Relevance: 1.6, APIs: 1, Instructions: 111COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 462 4d306d6-4d3086d 481 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 462->481 484 4d308bb call 4d308ce 481->484
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 8226a770a8926a4a27a6eba13928b4ef319a8b78f47256114c5cc04fe10da447
                                  • Instruction ID: f27d25d106a7df48a581f0faea2367991d56fd7f4d8506c721381f6e2653fa95
                                  • Opcode Fuzzy Hash: 8226a770a8926a4a27a6eba13928b4ef319a8b78f47256114c5cc04fe10da447
                                  • Instruction Fuzzy Hash: EE21DFEB34D214BDB14391562B54AF62A2DE6C6772730803AF887C060AF2C4EE4D7472
                                  Function 04D307A6 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 486 4d307a6-4d307b1 487 4d307b3-4d307b7 486->487 488 4d3074c-4d307a0 486->488 490 4d307b9-4d3086d 487->490 488->490 502 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 490->502 505 4d308bb call 4d308ce 502->505
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 03108e2c5e31d104d76932b711c90fcefbf28ed06e489a25328522c68a9d8508
                                  • Instruction ID: e94d974bedf2bf9164823a3ad1cc845cd9fa1700052f6455b03c01f1f6666bc1
                                  • Opcode Fuzzy Hash: 03108e2c5e31d104d76932b711c90fcefbf28ed06e489a25328522c68a9d8508
                                  • Instruction Fuzzy Hash: B02105E634D214BDB253A09A2B54BF76B2DDBC6732730843AF487D6546F2C49E4DA070
                                  Function 04D3071B Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 507 4d3071b-4d30730 509 4d30792-4d30797 507->509 510 4d30732-4d30780 507->510 512 4d30799-4d3086d 509->512 510->512 525 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 512->525 528 4d308bb call 4d308ce 525->528
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 261b5d6ac33fcff0d337c95e440ce9b96413899caec90fd04c8f0b3fc95f091d
                                  • Instruction ID: cd9785b405f54929b697a5469dbabc78a158e0d23bd27566e74ce929175e99a1
                                  • Opcode Fuzzy Hash: 261b5d6ac33fcff0d337c95e440ce9b96413899caec90fd04c8f0b3fc95f091d
                                  • Instruction Fuzzy Hash: E01136EB30D114FD725790862B54AF72A2DE6C6732730803AF48BD250AF2C4AE4D7470
                                  Function 04D30723 Relevance: 1.6, APIs: 1, Instructions: 104COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 530 4d30723-4d30730 531 4d30792-4d30797 530->531 532 4d30732-4d30780 530->532 534 4d30799-4d3086d 531->534 532->534 547 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 534->547 550 4d308bb call 4d308ce 547->550
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 32afe21cb0683df192139624a0df7d04bd7d137918e1639fd544e30bbf635669
                                  • Instruction ID: 583cf18f840e59c276565302c5ad09793ec00c9a49092aa4a308b93fd618c464
                                  • Opcode Fuzzy Hash: 32afe21cb0683df192139624a0df7d04bd7d137918e1639fd544e30bbf635669
                                  • Instruction Fuzzy Hash: 2B1122EB30D228BCB153A5462B94AF7662DE6C6732730843AF487D210AF2C4AE4D7470
                                  Function 04D3073B Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 552 4d3073b-4d3086d 567 4d30886-4d308bb GetCurrentHwProfileW call 4d308ce 552->567 570 4d308bb call 4d308ce 567->570
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 4ad727158402ca0df5b3795052b4b578c6eac9c266f72c9741ecb0d82d3436df
                                  • Instruction ID: 99d372b74785ec92a5be2ddc26a70e14a63bffe83ab11663dd8b6b57593eb3d7
                                  • Opcode Fuzzy Hash: 4ad727158402ca0df5b3795052b4b578c6eac9c266f72c9741ecb0d82d3436df
                                  • Instruction Fuzzy Hash: 331123EB34D214BCB15391862B94AF7662EEBC6B32730803AF487C1506F2D4AE8D7071
                                  Function 04D3074E Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 5a8a7a615571e67174c746ff3b47dda9d074db9d511391f8804e99b7a0a02a38
                                  • Instruction ID: 29d42b1090283c43c5ef767bd8f854d4078807b95c521e04bc87f64e03247cfd
                                  • Opcode Fuzzy Hash: 5a8a7a615571e67174c746ff3b47dda9d074db9d511391f8804e99b7a0a02a38
                                  • Instruction Fuzzy Hash: 7511C4EB34D218BD7253A0962B54AF76B2DD6C6732730843AF887D1146F2C49E4D6071
                                  Function 04D308C1 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 549a0e0996c920c184a64f8a2814f162684f8a5150ed124672fc8372e65c785e
                                  • Instruction ID: c2265639047d67ccaef2c22253a6a0085bf45b570ea7c9907873316c487f4e3d
                                  • Opcode Fuzzy Hash: 549a0e0996c920c184a64f8a2814f162684f8a5150ed124672fc8372e65c785e
                                  • Instruction Fuzzy Hash: EB1166EB30D1043DB213B4A52E50AFB6BAEEAC3631330C87AF882D610BD1949D4E5170
                                  Function 04D30786 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 515535cda74443c721071cd1317ebd19213c3594233c40057262ba9d0d50f443
                                  • Instruction ID: ac30b4035ffa53e24016c20a3a2b910ecc12ee4471f0ab2eb1c7c944f7f5753c
                                  • Opcode Fuzzy Hash: 515535cda74443c721071cd1317ebd19213c3594233c40057262ba9d0d50f443
                                  • Instruction Fuzzy Hash: 851182DB349214BCB25395862B44AF6666EE7C6632730443AF487D1646F2C49E4D6071
                                  Function 04D307D4 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e545c2fe262e1275c5cb3f435a45412f711dbb51a3c908ffebacf7965e68f0d6
                                  • Instruction ID: 271cf6b7048f3907abc217225bc71812d7693352b6e48dfb2d5d1ce7841efa6f
                                  • Opcode Fuzzy Hash: e545c2fe262e1275c5cb3f435a45412f711dbb51a3c908ffebacf7965e68f0d6
                                  • Instruction Fuzzy Hash: CF01B5DB34D218BCB157A0822B44AF7666ED7C7732730843AB487D1146F2C49E4D7471
                                  Function 04D307BF Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: eb0cd07791d7bdb2ed8f9880ab4bd36c8e30614d3d811890650044c59d06fd6e
                                  • Instruction ID: debd35610c1840fe111cd2b310606ef4ed1a52562f4c82d86996c33270b587eb
                                  • Opcode Fuzzy Hash: eb0cd07791d7bdb2ed8f9880ab4bd36c8e30614d3d811890650044c59d06fd6e
                                  • Instruction Fuzzy Hash: 7D0124EB34D218BCB113A0822B44AF7666EEBC6732B308436B443D1146F2C49E4D6071
                                  Function 04D307E5 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 207d444f6d5cd62c4a943a94b6ae789a15e01ff714d408236f78c14a2b87057b
                                  • Instruction ID: bae17ccb3038cbedfb4bc38ac8f362f12fbeabff24dc9fe5ac426aa45a53be0c
                                  • Opcode Fuzzy Hash: 207d444f6d5cd62c4a943a94b6ae789a15e01ff714d408236f78c14a2b87057b
                                  • Instruction Fuzzy Hash: 3801A2EB34D1287C7157A0862B549F66A6EEAC3A72330847AB487C1246F2C89F4E6071
                                  Function 04D30829 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 3da1e6807a5b1820b20c00b68d3aac5a8e69b78df6b9b67bbff1aa126bf16724
                                  • Instruction ID: 91291aa09c775f6a5a304887b54a1cff73a19b82c5292fa2480cfbff953f454a
                                  • Opcode Fuzzy Hash: 3da1e6807a5b1820b20c00b68d3aac5a8e69b78df6b9b67bbff1aa126bf16724
                                  • Instruction Fuzzy Hash: 970128A770D128ADF217A1662A545F6276EDAC7672730887BF443C2606F2849A49A0B1
                                  Function 002C4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002C49F9,00000000,CF830579,00301140,0000000C,002C4AB5,002B8BBD,?), ref: 002C4B68
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: f43a7eeee8f43653bdd5a8d4eb1afaa72911779ad18724474540e12183408c56
                                  • Instruction ID: e711728bddd9996bc93b28213d70ec75e3025b8b5305f723adad60d644ba9bbd
                                  • Opcode Fuzzy Hash: f43a7eeee8f43653bdd5a8d4eb1afaa72911779ad18724474540e12183408c56
                                  • Instruction Fuzzy Hash: 5D118833E7011816DA247A356822F7F675E8B8277CF39030DFC089B0C2EE60EC614155
                                  Function 002BE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00300DF8,001DA3EB,00000002,001DA3EB,00000000,?,?,?,002BE166,00000000,?,001DA3EB,00000002,00300DF8), ref: 002BE098
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 442d3ca08a5ca7506a37346be4de4209deef9d5154c002a306ee028f4c3a978c
                                  • Instruction ID: 5260c827199979693da52992514d8d6233ab4435a898cd1d764fbcc93b22ec9d
                                  • Opcode Fuzzy Hash: 442d3ca08a5ca7506a37346be4de4209deef9d5154c002a306ee028f4c3a978c
                                  • Instruction Fuzzy Hash: A9012632620119AFCF05AF19CC06CDE3B2ADB81364B250248FC50AB2D1E6B2FD619BD0
                                  Function 002AF290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D220E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: dc230ebe102efb051326ae556abab537d7f128e004c28a2706078cc2e29e7cfa
                                  • Instruction ID: f6c265f93404b6fbafc7c157f7a985d444585bc0bb31918bd4848bbf0e1ec043
                                  • Opcode Fuzzy Hash: dc230ebe102efb051326ae556abab537d7f128e004c28a2706078cc2e29e7cfa
                                  • Instruction Fuzzy Hash: 8801203541030D67CB14AF98E801A9977AC9A01350B408436FE19DBA91EB70D9748B94
                                  Function 002C63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,002B91F7,00000000,?,002C5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,002BD244,002B89C3,002B91F7,00000000), ref: 002C6435
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 3b471aceab78087a65b77303bee13917a0036079ef3f4cd03895c0ad672a09d9
                                  • Instruction ID: 201dede089a9a40ddc8f1dbccf20f3f8608f2a52c0d0333dba38f2da43870ca7
                                  • Opcode Fuzzy Hash: 3b471aceab78087a65b77303bee13917a0036079ef3f4cd03895c0ad672a09d9
                                  • Instruction Fuzzy Hash: EEF0E93153122666DB396F629C0AF6B3B4C9F417B0F15871DEC04A6480CB70E83046F1
                                  Function 04D3084E Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D30895
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505380054.0000000004D30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D30000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d30000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: cb4bef39d99c4e6150ef92d8020b78de109b72371ab9c5555a78287e9d2df0bd
                                  • Instruction ID: a4d3bcf78c8f89f0474458d62529b54ea61c627320a34f66627ad07ea3dc9cb9
                                  • Opcode Fuzzy Hash: cb4bef39d99c4e6150ef92d8020b78de109b72371ab9c5555a78287e9d2df0bd
                                  • Instruction Fuzzy Hash: 2FE0228634E2503DF213A5662E109F76A1DCED3631334857AB8C6C2207E988AC1D51B1
                                  Function 002C6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,002CD635,4D88C033,?,002CD635,00000220,?,002C57EF,4D88C033), ref: 002C6E5F
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: ebafbfaea1db20c30d47911c11b57269ba807adb1f3e43f9b8267260009a11e5
                                  • Instruction ID: 8f6c46e832be31053eb1f8ef47267bb5230e11632ac99052ecbacd655cdb9f76
                                  • Opcode Fuzzy Hash: ebafbfaea1db20c30d47911c11b57269ba807adb1f3e43f9b8267260009a11e5
                                  • Instruction Fuzzy Hash: D1E0E5391756165ADA313A65CC09F5B764C8B417B0F15072FEC00924D2CB50CC3085A4
                                  Function 04D400DC Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: 1
                                  • API String ID: 0-2212294583
                                  • Opcode ID: 8553fbf817ab5f97fffae34bf0ec6ff255bd0e31713f058d05ea92ad996d9a7c
                                  • Instruction ID: 850b288377a6f556844fd65ac7e740a9f3bbce3b173d27ea238f13b3643364f0
                                  • Opcode Fuzzy Hash: 8553fbf817ab5f97fffae34bf0ec6ff255bd0e31713f058d05ea92ad996d9a7c
                                  • Instruction Fuzzy Hash: 2D113DFB24C210BEB14396926B14AFBABAEE5D2730730C42BF582C5506E2995B5E7131
                                  Function 04D4009C Relevance: .2, Instructions: 167COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14ff070b0185bd14b0e6e54b39d4cd3aeaddaf2716595181096dab1041fba690
                                  • Instruction ID: eada337e7544dba2a246f7301a95908d63645fb8044e5d8a6d4a44abd20f5322
                                  • Opcode Fuzzy Hash: 14ff070b0185bd14b0e6e54b39d4cd3aeaddaf2716595181096dab1041fba690
                                  • Instruction Fuzzy Hash: C6316DFB34C1217E704395856B15AFB5BAEE1D6B34330C42BF986D5502E2899B4E2131
                                  Function 04D40112 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d321bc9b6e77f9a66fc9c6227af054830157c112b40a7de51b35ca8d8801855
                                  • Instruction ID: 4af99cd931c52e68bc3b2f38ea016a71f699a259a1898c9bb56992c84088feaa
                                  • Opcode Fuzzy Hash: 5d321bc9b6e77f9a66fc9c6227af054830157c112b40a7de51b35ca8d8801855
                                  • Instruction Fuzzy Hash: AE01E9FF24C1107E704295927B18EFB67AEE1D2730330C527F943D5502E2895B5E6171
                                  Function 04D40153 Relevance: .1, Instructions: 66COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55d7a5043c413b4f4109bf25884b31abf34fb27b876f9c7772d02e6d04de7354
                                  • Instruction ID: bda204d518b6dece34a57cc9a68898d0b2056d79975db11da5812d23031d9aca
                                  • Opcode Fuzzy Hash: 55d7a5043c413b4f4109bf25884b31abf34fb27b876f9c7772d02e6d04de7354
                                  • Instruction Fuzzy Hash: 9A0128BA14C640BFA24386A56A089F6BB79F6D3630734446EF982D7043F2965219A231
                                  Function 04D401C1 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fe078d14a0619cf7ddb527f23d61491f1c5882dee738d07812e7ad1a5e00090b
                                  • Instruction ID: d7ba424051fc35da7343e73f4dfa545138fb40ded9f5a72502f5a3a5ec292877
                                  • Opcode Fuzzy Hash: fe078d14a0619cf7ddb527f23d61491f1c5882dee738d07812e7ad1a5e00090b
                                  • Instruction Fuzzy Hash: B0F090BF28D111BE614395A12708AF6AABDB5E36303744527F583D4902F285975E7270
                                  Function 04D40000 Relevance: .0, Instructions: 50COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d2b80680acc13ab334c0e7809eb1c4ca0d83f88ab8d16e7b967ab9691d83b0c9
                                  • Instruction ID: 958fc7d3ff140651eaf790b8edc4dc1d412ba9dc02d9e11474e0a4f4d1982c8b
                                  • Opcode Fuzzy Hash: d2b80680acc13ab334c0e7809eb1c4ca0d83f88ab8d16e7b967ab9691d83b0c9
                                  • Instruction Fuzzy Hash: E4F0EDFB34C165BE705390422E55DF71A2EE1D67783318426BA8BD6542F399AA4A3032

                                  Non-executed Functions

                                  Function 002B84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: bbe6706893308522768bf0182de4f41967739c2473e0555e83ee2cd9eb29734f
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: D1023C71E1121A9BDF14CFA9C8806EEFBB9FF48354F248269D519E7380DB31A951CB90
                                  Function 04D40545 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: E
                                  • API String ID: 0-972383279
                                  • Opcode ID: c109085f0313cc8cd1cdf65c0f67230347da5940e657dc05ed7ddca923c24c76
                                  • Instruction ID: 0b6713acf8c0eb1b6c5d7867e4230f038f55317b6e66503223308f5f435e2b9d
                                  • Opcode Fuzzy Hash: c109085f0313cc8cd1cdf65c0f67230347da5940e657dc05ed7ddca923c24c76
                                  • Instruction Fuzzy Hash: EA1171B710C5806FE7038524A918EFB7F28DBC7B34731805BE18687047F151950A9171
                                  Function 04D40207 Relevance: .0, Instructions: 39COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4505428808.0000000004D40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4d40000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f91f35f99c799fa9ce413baf5e63f7f6e92df4d7db45941e24878ba679a053f0
                                  • Instruction ID: 30e70b6d9287897d4fe4f1a66aabc9e29299bcac021d955673fbd6e4ad6a8a58
                                  • Opcode Fuzzy Hash: f91f35f99c799fa9ce413baf5e63f7f6e92df4d7db45941e24878ba679a053f0
                                  • Instruction Fuzzy Hash: 7EF0EC7730CA90BF6247456015C86BA7768EDC222133444FEEAC2CED83D165D45BE6B1
                                  Function 0023F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0023F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0023F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0023FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"/
                                  • API String ID: 3375549084-1188037619
                                  • Opcode ID: 3a285ebabcfa9536c5826a11c3945500fc87f063c9472b171645b06cb9342405
                                  • Instruction ID: 1a52b5d5bccc1307b6ae5a42b191efb5dc6b5cc2003d162fc4a11836d4e7bd55
                                  • Opcode Fuzzy Hash: 3a285ebabcfa9536c5826a11c3945500fc87f063c9472b171645b06cb9342405
                                  • Instruction Fuzzy Hash: BA61CFB1D202099BEF10DFA4EA45BDEBBB4AF15310F144069E805AB381EB74E915CF91
                                  Function 002B2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 002B2E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 002B2E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 002B2ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 002B2F03
                                  • _ValidateLocalCookies.LIBCMT ref: 002B2F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i0$csm
                                  • API String ID: 1170836740-1866805317
                                  • Opcode ID: dbee62e5149e73ae7240dafcf94d0ef21dbe0738c8ed8b61c4f323501c396f79
                                  • Instruction ID: 32ac7f7cfeadbd2963840aa2b7b08df8b3fef845df534a84ea462bafd154c1fa
                                  • Opcode Fuzzy Hash: dbee62e5149e73ae7240dafcf94d0ef21dbe0738c8ed8b61c4f323501c396f79
                                  • Instruction Fuzzy Hash: CA41C430A20309DBCF10DF69C885AEEBBB5EF45394F148055E8149B792D771EE69CB90
                                  Function 001D39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001D3A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001D3AA4
                                  • __Getctype.LIBCPMT ref: 001D3ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001D3AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001D3B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: e336c04381489506ce98469e20e1aa0013bd86d0ae350632ed8ca0ff762a92d3
                                  • Instruction ID: 7eec70bbacd63bb50638145529670cbaa62c8c05c7e4b56e60d9b2299b9eeca0
                                  • Opcode Fuzzy Hash: e336c04381489506ce98469e20e1aa0013bd86d0ae350632ed8ca0ff762a92d3
                                  • Instruction Fuzzy Hash: B55144B1D102489FDF10DFA4D945BDDBBB8AF15310F14406AE819AB381EB75DA14CB52
                                  Function 0023DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0023DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0023DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0023DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0023DF7B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 3fcc8f2dd8ce59d5b053b5e8679bbf7d017a903f953f1645709824ea4ad6a51e
                                  • Instruction ID: c3f5f2e51c86c7bb40ed35f79696e9488f9dac318875ddca51c4b69ee872915a
                                  • Opcode Fuzzy Hash: 3fcc8f2dd8ce59d5b053b5e8679bbf7d017a903f953f1645709824ea4ad6a51e
                                  • Instruction Fuzzy Hash: D04123B5D202169FCB15DF54E881B6EBBB8FB11710F10426AE816AB752DB30AD21CBD1
                                  Function 001D4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D4F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D4FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D50C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 001D504C
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: ca26052e8f98b9b1c5fd7b2aee9a1f6a4e2ad062376d2f9617a647aa7de53046
                                  • Instruction ID: 977c9e67eec8c3d12b2928d7d57d3ff8a05cdf20fcdf868f4a016b3e73774ee2
                                  • Opcode Fuzzy Hash: ca26052e8f98b9b1c5fd7b2aee9a1f6a4e2ad062376d2f9617a647aa7de53046
                                  • Instruction Fuzzy Hash: FBE1E2B19106049FCB28DF68D895BAEF7F9FF44300F144A2EE45693781E774A914CBA1
                                  Function 001D7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D7B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 3b9fabe72a022adb020c0c12b9e90c2a241c656b08d31f4bc3cdd6034f6d1ebb
                                  • Instruction ID: b674fd593ab362357c3c0e7f3f47a3c52fb226ef3aaf768fe579279ba3ba9650
                                  • Opcode Fuzzy Hash: 3b9fabe72a022adb020c0c12b9e90c2a241c656b08d31f4bc3cdd6034f6d1ebb
                                  • Instruction Fuzzy Hash: CAC156B1D002088FDB08DFA8E9947ADFBF1AB49310F14866AE419EB791E7749984CB54
                                  Function 001D2270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 001D2275
                                    • Part of subcall function 002AD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 002AD6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L0$L0
                                  • API String ID: 1997705970-1638608421
                                  • Opcode ID: 8490484e3ed718928e4d1e8a565281a0dd77244087875b57fcc25a8bd79cf534
                                  • Instruction ID: de67a2654fe37548eab6af86c684d8b2c2d8ca9ac42ef4583abea7e05da30beb
                                  • Opcode Fuzzy Hash: 8490484e3ed718928e4d1e8a565281a0dd77244087875b57fcc25a8bd79cf534
                                  • Instruction Fuzzy Hash: 5A812475A042859FDB06CF68C4607EEBFB1FF6A300F18416BC9A4A7742C3798645CBA1
                                  Function 001D73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D75BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D75CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: a779f5afa5746bba6e7bcc490a89991268e862839603d05a9dfb9a4c50c47bcc
                                  • Instruction ID: f8274f8b0619eec22966156a4b9cc3753fa667d835134da4d6afd29bb93263c5
                                  • Opcode Fuzzy Hash: a779f5afa5746bba6e7bcc490a89991268e862839603d05a9dfb9a4c50c47bcc
                                  • Instruction Fuzzy Hash: B4610571A042049FDB08DF68EC94BADBBB6FF45300F24462DE415A77C1E774AA54CB91
                                  Function 001D3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 707a96433d09361d8b954ffb32816a226e6dcaa87bebb2d08964994ae3619097
                                  • Instruction ID: ec34735bd9e8b85d09d64430255fba95bba96aaf582367922541d2baf12672df
                                  • Opcode Fuzzy Hash: 707a96433d09361d8b954ffb32816a226e6dcaa87bebb2d08964994ae3619097
                                  • Instruction Fuzzy Hash: 5841C5B6900208AFCB04DF58C845BEEB7F9EB49310F14852BF925D7741E770AA108FA5
                                  Function 001D3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 4c5ac9e67b2228a806689556943bbb9949273588420191857d46ac2ed5ff40eb
                                  • Instruction ID: 377aa51063d13f367f4840f4c5d71e4863d2eb10996cc4b1115d37f6eaa61e45
                                  • Opcode Fuzzy Hash: 4c5ac9e67b2228a806689556943bbb9949273588420191857d46ac2ed5ff40eb
                                  • Instruction Fuzzy Hash: 3D2108B2510305AFC714DF58D801B96F7D8AB04350F08883BFA6987781E770EA248B91
                                  Function 001D6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001D7340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 73a6082c3ff85059db49390955e41f1bd66eacc0b976afd20812c25158f06e09
                                  • Instruction ID: eb281dc5de3bb0acc2be8a8c4f6e7498bb6ea29e511a4267ecd604c83117a59a
                                  • Opcode Fuzzy Hash: 73a6082c3ff85059db49390955e41f1bd66eacc0b976afd20812c25158f06e09
                                  • Instruction Fuzzy Hash: FBE18F70D042489FDB18CF68C8947ADBBB1FF49300F248269E419EB792E7749A85CF50
                                  Function 001D6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D6F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001D6F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 790557b696969aa77a97655168e22b0a79a0199f93f43922184a62aab90735dd
                                  • Instruction ID: ba68b37dc7840d83bdf5039b0c62cf856077ec49cbe9eea90d9e23d64c62cecb
                                  • Opcode Fuzzy Hash: 790557b696969aa77a97655168e22b0a79a0199f93f43922184a62aab90735dd
                                  • Instruction Fuzzy Hash: AA91E770A002049FDB18CF68D994BAEFBF6FF45300F20862DE415AB792D775A945CB90
                                  Function 0024B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 0024B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px$$invalid hash bucket count
                                  • API String ID: 909987262-1721581971
                                  • Opcode ID: df294b54a20dd5a98ea27c473de565f593aa9ed9f68095b67a8a92996a04e3e6
                                  • Instruction ID: fa0e18405247401935543f78bc820eb99f49c8f540618882be5deb9f32f00551
                                  • Opcode Fuzzy Hash: df294b54a20dd5a98ea27c473de565f593aa9ed9f68095b67a8a92996a04e3e6
                                  • Instruction Fuzzy Hash: 207124B4A10605DFCB19CF58C18086AFBF9FF88300764C5AAD8599B355D771EA62CF90
                                  Function 0024E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0024E491
                                  Strings
                                  • type must be boolean, but is , xrefs: 0024E582
                                  • type must be string, but is , xrefs: 0024E4F8
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4496541525.00000000001D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 001D0000, based on PE: true
                                  • Associated: 00000007.00000002.4496427930.00000000001D0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496541525.0000000000303000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4496992886.0000000000308000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000030C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000049C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.000000000057F000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005B8000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005C1000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4497101175.00000000005CF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498264487.00000000005D0000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.4498681856.0000000000779000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_1d0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: d9e71b3e7803f4f63ff18a054844532d87a8d4852e94ac18ae2da5fb9f9817d1
                                  • Instruction ID: e82ddf4cbe23fb6ceade92774aaa7aa7429cd0174a1844fb0c2665c534010f04
                                  • Opcode Fuzzy Hash: d9e71b3e7803f4f63ff18a054844532d87a8d4852e94ac18ae2da5fb9f9817d1
                                  • Instruction Fuzzy Hash: 6F417CB1910248AFEF18EBA4D842BDEB7A8EB10310F144675F815D77C2EB35E920C791

                                  Execution Graph

                                  Execution Coverage:2.4%
                                  Dynamic/Decrypted Code Coverage:2.1%
                                  Signature Coverage:0%
                                  Total number of Nodes:389
                                  Total number of Limit Nodes:62
                                  execution_graph 21167 4c80ac8 21168 4c80a68 21167->21168 21169 4c80aa6 GetCurrentHwProfileW 21168->21169 21170 4c80ac1 21168->21170 21169->21170 21171 4c808b2 GetCurrentHwProfileW GetCurrentHwProfileW 21172 13a210 21205 20f290 21172->21205 21174 13a248 21210 132ae0 21174->21210 21176 13a28b 21226 215362 21176->21226 21181 13a377 21185 219136 4 API calls 21186 13a2fc 21185->21186 21191 13a318 21186->21191 21241 19cf60 21186->21241 21246 21dbdf 21191->21246 21202 13a34e 21202->21181 21255 2147b0 RtlAllocateHeap ___std_exception_copy __Getctype 21202->21255 21206 1321d0 Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy std::_Facet_Register 21205->21206 21207 20f2af 21206->21207 21256 210651 RtlAllocateHeap ___std_exception_copy 21206->21256 21207->21174 21209 132213 21209->21174 21211 132ba5 21210->21211 21217 132af6 21210->21217 21257 132270 RtlAllocateHeap __fread_nolock std::_Xinvalid_argument 21211->21257 21213 132b02 std::locale::_Locimp::_Locimp 21213->21176 21214 132b2a 21218 20f290 std::_Facet_Register RtlAllocateHeap 21214->21218 21215 132baa 21258 1321d0 RtlAllocateHeap Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy 21215->21258 21217->21213 21217->21214 21220 132b65 21217->21220 21221 132b6e 21217->21221 21219 132b3d 21218->21219 21225 132b46 std::locale::_Locimp::_Locimp 21219->21225 21259 2147b0 RtlAllocateHeap ___std_exception_copy __Getctype 21219->21259 21220->21214 21220->21215 21224 20f290 std::_Facet_Register RtlAllocateHeap 21221->21224 21221->21225 21224->21225 21225->21176 21260 2152a0 21226->21260 21228 13a2d7 21228->21202 21229 219136 21228->21229 21230 219149 ___std_exception_copy 21229->21230 21293 218e8d 21230->21293 21232 21915e 21300 2144dc 21232->21300 21235 214eeb 21236 214efe ___std_exception_copy 21235->21236 21406 214801 21236->21406 21238 214f0a 21239 2144dc ___std_exception_copy RtlAllocateHeap 21238->21239 21240 13a2f0 21239->21240 21240->21185 21242 19cfa7 21241->21242 21245 19cf78 __fread_nolock 21241->21245 21444 1a0560 21242->21444 21244 19cfba 21244->21191 21245->21191 21462 21dbfc 21246->21462 21248 13a348 21249 218be8 21248->21249 21250 218bfb ___std_exception_copy 21249->21250 21577 218ac3 21250->21577 21252 218c07 21253 2144dc ___std_exception_copy RtlAllocateHeap 21252->21253 21254 218c13 21253->21254 21254->21202 21256->21209 21257->21215 21258->21219 21262 2152ac __fread_nolock 21260->21262 21261 2152b3 21278 21d23f RtlAllocateHeap __dosmaperr 21261->21278 21262->21261 21264 2152d3 21262->21264 21267 2152e5 21264->21267 21268 2152d8 21264->21268 21265 2152b8 21279 2147a0 RtlAllocateHeap ___std_exception_copy 21265->21279 21274 226688 21267->21274 21280 21d23f RtlAllocateHeap __dosmaperr 21268->21280 21271 2152ee 21273 2152c3 21271->21273 21281 21d23f RtlAllocateHeap __dosmaperr 21271->21281 21273->21228 21275 226694 __fread_nolock std::_Lockit::_Lockit 21274->21275 21282 22672c 21275->21282 21277 2266af 21277->21271 21278->21265 21279->21273 21280->21273 21281->21273 21283 22674f __fread_nolock 21282->21283 21287 226795 __fread_nolock 21283->21287 21288 2263f3 21283->21288 21285 2267b0 21292 226db3 RtlAllocateHeap __dosmaperr 21285->21292 21287->21277 21291 226400 __Getctype std::_Facet_Register 21288->21291 21289 22642b RtlAllocateHeap 21290 22643e __dosmaperr 21289->21290 21289->21291 21290->21285 21291->21289 21291->21290 21292->21287 21297 218e99 __fread_nolock 21293->21297 21294 218e9f 21315 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21294->21315 21296 218ee2 __fread_nolock 21306 219010 21296->21306 21297->21294 21297->21296 21299 218eba 21299->21232 21301 2144e8 21300->21301 21302 2144ff 21301->21302 21404 214587 RtlAllocateHeap ___std_exception_copy __Getctype 21301->21404 21304 13a2ea 21302->21304 21405 214587 RtlAllocateHeap ___std_exception_copy __Getctype 21302->21405 21304->21235 21307 219023 21306->21307 21308 219036 21306->21308 21307->21299 21316 218f37 21308->21316 21310 2190e7 21310->21299 21311 219059 21311->21310 21320 2155d3 21311->21320 21315->21299 21317 218f48 21316->21317 21319 218fa0 21316->21319 21317->21319 21329 21e13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 21317->21329 21319->21311 21321 2155ec 21320->21321 21325 215613 21320->21325 21321->21325 21330 225f82 21321->21330 21323 215608 21337 22538b 21323->21337 21326 21e17d 21325->21326 21381 21e05c 21326->21381 21328 21e196 21328->21310 21329->21319 21331 225fa3 21330->21331 21332 225f8e 21330->21332 21331->21323 21344 21d23f RtlAllocateHeap __dosmaperr 21332->21344 21334 225f93 21345 2147a0 RtlAllocateHeap ___std_exception_copy 21334->21345 21336 225f9e 21336->21323 21338 225397 __fread_nolock 21337->21338 21339 2253d8 21338->21339 21341 22541e 21338->21341 21343 22539f 21338->21343 21360 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21339->21360 21341->21343 21346 22549c 21341->21346 21343->21325 21344->21334 21345->21336 21347 2254c4 21346->21347 21358 2254e7 __fread_nolock 21346->21358 21348 2254c8 21347->21348 21350 225523 21347->21350 21366 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21348->21366 21351 225541 21350->21351 21352 21e17d 2 API calls 21350->21352 21361 224fe1 21351->21361 21352->21351 21355 2255a0 21357 225609 WriteFile 21355->21357 21355->21358 21356 225559 21356->21358 21367 224bb2 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_dtor _ValidateLocalCookies std::locale::_Locimp::_Locimp 21356->21367 21357->21358 21358->21343 21360->21343 21368 230d44 21361->21368 21363 225021 21363->21355 21363->21356 21364 224ff3 21364->21363 21377 219d10 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_dtor ___std_exception_copy 21364->21377 21366->21358 21367->21358 21369 230d51 21368->21369 21370 230d5e 21368->21370 21378 21d23f RtlAllocateHeap __dosmaperr 21369->21378 21373 230d6a 21370->21373 21379 21d23f RtlAllocateHeap __dosmaperr 21370->21379 21372 230d56 21372->21364 21373->21364 21375 230d8b 21380 2147a0 RtlAllocateHeap ___std_exception_copy 21375->21380 21377->21363 21378->21372 21379->21375 21380->21372 21386 22a6de 21381->21386 21383 21e06e 21384 21e08a SetFilePointerEx 21383->21384 21385 21e076 __fread_nolock 21383->21385 21384->21385 21385->21328 21387 22a6eb 21386->21387 21388 22a700 21386->21388 21399 21d22c RtlAllocateHeap __dosmaperr 21387->21399 21392 22a725 21388->21392 21401 21d22c RtlAllocateHeap __dosmaperr 21388->21401 21391 22a6f0 21400 21d23f RtlAllocateHeap __dosmaperr 21391->21400 21392->21383 21393 22a730 21402 21d23f RtlAllocateHeap __dosmaperr 21393->21402 21396 22a6f8 21396->21383 21397 22a738 21403 2147a0 RtlAllocateHeap ___std_exception_copy 21397->21403 21399->21391 21400->21396 21401->21393 21402->21397 21403->21396 21404->21302 21405->21304 21407 21480d __fread_nolock 21406->21407 21408 214814 21407->21408 21410 214835 __fread_nolock 21407->21410 21416 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21408->21416 21413 214910 21410->21413 21412 21482d 21412->21238 21417 214942 21413->21417 21415 214922 21415->21412 21416->21412 21418 214951 21417->21418 21419 214979 21417->21419 21433 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21418->21433 21420 225f82 __fread_nolock RtlAllocateHeap 21419->21420 21422 214982 21420->21422 21430 21e11f 21422->21430 21425 214a2c 21434 214cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 21425->21434 21427 214a43 21429 21496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21427->21429 21435 214ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21427->21435 21429->21415 21436 21df37 21430->21436 21432 2149a0 21432->21425 21432->21427 21432->21429 21433->21429 21434->21429 21435->21429 21437 21df43 __fread_nolock 21436->21437 21438 21df86 21437->21438 21440 21df4b 21437->21440 21441 21dfcc 21437->21441 21443 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21438->21443 21440->21432 21441->21440 21442 21e05c __fread_nolock 2 API calls 21441->21442 21442->21440 21443->21440 21445 1a06a9 21444->21445 21449 1a0585 21444->21449 21459 132270 RtlAllocateHeap __fread_nolock std::_Xinvalid_argument 21445->21459 21447 1a06ae 21460 1321d0 RtlAllocateHeap Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy 21447->21460 21451 1a05e3 21449->21451 21452 1a05f0 21449->21452 21454 1a059a 21449->21454 21450 20f290 std::_Facet_Register RtlAllocateHeap 21457 1a05aa __fread_nolock std::locale::_Locimp::_Locimp 21450->21457 21451->21447 21451->21454 21455 20f290 std::_Facet_Register RtlAllocateHeap 21452->21455 21452->21457 21454->21450 21455->21457 21458 1a0667 __fread_nolock std::locale::_Locimp::_Locimp 21457->21458 21461 2147b0 RtlAllocateHeap ___std_exception_copy __Getctype 21457->21461 21458->21244 21459->21447 21460->21457 21464 21dc08 __fread_nolock 21462->21464 21463 21dc40 __fread_nolock 21463->21248 21464->21463 21465 21dc52 __fread_nolock 21464->21465 21467 21dc1b __fread_nolock 21464->21467 21471 21da06 21465->21471 21484 21d23f RtlAllocateHeap __dosmaperr 21467->21484 21468 21dc35 21485 2147a0 RtlAllocateHeap ___std_exception_copy 21468->21485 21472 21da35 21471->21472 21475 21da18 __fread_nolock 21471->21475 21472->21463 21473 21da25 21545 21d23f RtlAllocateHeap __dosmaperr 21473->21545 21475->21472 21475->21473 21477 21da76 __fread_nolock 21475->21477 21477->21472 21478 21dba1 __fread_nolock 21477->21478 21480 225f82 __fread_nolock RtlAllocateHeap 21477->21480 21486 224623 21477->21486 21547 218a2b RtlAllocateHeap __fread_nolock __dosmaperr ___std_exception_copy std::locale::_Locimp::_Locimp 21477->21547 21548 21d23f RtlAllocateHeap __dosmaperr 21478->21548 21480->21477 21482 21da2a 21546 2147a0 RtlAllocateHeap ___std_exception_copy 21482->21546 21484->21468 21485->21463 21487 224635 21486->21487 21488 22464d 21486->21488 21549 21d22c RtlAllocateHeap __dosmaperr 21487->21549 21489 22498f 21488->21489 21493 224690 21488->21493 21573 21d22c RtlAllocateHeap __dosmaperr 21489->21573 21492 22463a 21550 21d23f RtlAllocateHeap __dosmaperr 21492->21550 21496 22469b 21493->21496 21500 224642 21493->21500 21504 2246cb 21493->21504 21494 224994 21574 21d23f RtlAllocateHeap __dosmaperr 21494->21574 21551 21d22c RtlAllocateHeap __dosmaperr 21496->21551 21499 2246a8 21575 2147a0 RtlAllocateHeap ___std_exception_copy 21499->21575 21500->21477 21501 2246a0 21552 21d23f RtlAllocateHeap __dosmaperr 21501->21552 21505 2246e4 21504->21505 21506 2246f1 21504->21506 21507 22471f 21504->21507 21505->21506 21513 22470d 21505->21513 21553 21d22c RtlAllocateHeap __dosmaperr 21506->21553 21556 226e2d 21507->21556 21509 2246f6 21554 21d23f RtlAllocateHeap __dosmaperr 21509->21554 21512 230d44 __fread_nolock RtlAllocateHeap 21529 22486b 21512->21529 21513->21512 21515 2246fd 21555 2147a0 RtlAllocateHeap ___std_exception_copy 21515->21555 21518 224739 21563 226db3 RtlAllocateHeap __dosmaperr 21518->21563 21519 2248e3 ReadFile 21522 224957 21519->21522 21523 2248fb 21519->21523 21521 224740 21524 224765 21521->21524 21525 22474a 21521->21525 21532 224964 21522->21532 21543 2248b5 21522->21543 21523->21522 21533 2248d4 21523->21533 21566 21e13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 21524->21566 21564 21d23f RtlAllocateHeap __dosmaperr 21525->21564 21529->21519 21531 22489b 21529->21531 21530 22474f 21565 21d22c RtlAllocateHeap __dosmaperr 21530->21565 21531->21533 21531->21543 21571 21d23f RtlAllocateHeap __dosmaperr 21532->21571 21536 224920 21533->21536 21537 224937 21533->21537 21544 224708 __fread_nolock 21533->21544 21569 224335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 21536->21569 21537->21544 21570 22417b SetFilePointerEx RtlAllocateHeap __fread_nolock 21537->21570 21540 224969 21572 21d22c RtlAllocateHeap __dosmaperr 21540->21572 21543->21544 21567 21d1e5 RtlAllocateHeap __dosmaperr 21543->21567 21568 226db3 RtlAllocateHeap __dosmaperr 21544->21568 21545->21482 21546->21472 21547->21477 21548->21482 21549->21492 21550->21500 21551->21501 21552->21499 21553->21509 21554->21515 21555->21544 21557 226e6b 21556->21557 21561 226e3b __Getctype std::_Facet_Register 21556->21561 21576 21d23f RtlAllocateHeap __dosmaperr 21557->21576 21559 226e56 RtlAllocateHeap 21560 224730 21559->21560 21559->21561 21562 226db3 RtlAllocateHeap __dosmaperr 21560->21562 21561->21557 21561->21559 21562->21518 21563->21521 21564->21530 21565->21544 21566->21513 21567->21544 21568->21500 21569->21544 21570->21544 21571->21540 21572->21544 21573->21494 21574->21499 21575->21500 21576->21560 21578 218acf __fread_nolock 21577->21578 21579 218ad9 21578->21579 21581 218afc __fread_nolock 21578->21581 21598 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21579->21598 21583 218af4 21581->21583 21584 218b5a 21581->21584 21583->21252 21585 218b67 21584->21585 21586 218b8a 21584->21586 21610 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21585->21610 21588 218b82 21586->21588 21589 2155d3 4 API calls 21586->21589 21588->21583 21590 218ba2 21589->21590 21599 226ded 21590->21599 21593 225f82 __fread_nolock RtlAllocateHeap 21594 218bb6 21593->21594 21603 224a3f 21594->21603 21598->21583 21600 226e04 21599->21600 21602 218baa 21599->21602 21600->21602 21612 226db3 RtlAllocateHeap __dosmaperr 21600->21612 21602->21593 21606 218bbd 21603->21606 21607 224a68 21603->21607 21604 224ab7 21617 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21604->21617 21606->21588 21611 226db3 RtlAllocateHeap __dosmaperr 21606->21611 21607->21604 21608 224a8f 21607->21608 21613 2249ae 21608->21613 21610->21588 21611->21588 21612->21602 21614 2249ba __fread_nolock 21613->21614 21616 2249f9 21614->21616 21618 224b12 21614->21618 21616->21606 21617->21606 21619 22a6de __fread_nolock RtlAllocateHeap 21618->21619 21620 224b22 21619->21620 21622 224b5a 21620->21622 21623 22a6de __fread_nolock RtlAllocateHeap 21620->21623 21628 224b28 21620->21628 21624 22a6de __fread_nolock RtlAllocateHeap 21622->21624 21622->21628 21625 224b51 21623->21625 21626 224b66 FindCloseChangeNotification 21624->21626 21627 22a6de __fread_nolock RtlAllocateHeap 21625->21627 21626->21628 21627->21622 21630 22a64d RtlAllocateHeap __dosmaperr 21628->21630 21629 224b80 __fread_nolock 21629->21616 21630->21629 21685 4c807d8 GetCurrentHwProfileW GetCurrentHwProfileW GetCurrentHwProfileW GetCurrentHwProfileW 21731 144100 GetPEB RtlAllocateHeap __fread_nolock 21703 14e0a0 WSAStartup 21704 14e0d8 21703->21704 21707 14e1a7 21703->21707 21705 14e175 socket 21704->21705 21704->21707 21706 14e18b connect 21705->21706 21705->21707 21706->21707 21708 14e19d closesocket 21706->21708 21708->21705 21708->21707 21732 149f50 5 API calls 3 library calls 21632 21d168 21633 21d17b ___std_exception_copy 21632->21633 21638 21cf4a 21633->21638 21635 21d190 21636 2144dc ___std_exception_copy RtlAllocateHeap 21635->21636 21637 21d19d 21636->21637 21639 21cf58 21638->21639 21644 21cf80 21638->21644 21640 21cf65 21639->21640 21641 21cf87 21639->21641 21639->21644 21650 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21640->21650 21646 21cea3 21641->21646 21644->21635 21645 21cfbf 21645->21635 21647 21ceaf __fread_nolock 21646->21647 21651 21cefe 21647->21651 21649 21ceca 21649->21645 21650->21644 21658 228644 21651->21658 21657 21cf40 21657->21649 21675 228606 21658->21675 21660 21cf16 21665 21cfc1 21660->21665 21661 228655 21661->21660 21662 226e2d std::_Locinfo::_Locinfo_dtor 2 API calls 21661->21662 21663 2286ae 21662->21663 21682 226db3 RtlAllocateHeap __dosmaperr 21663->21682 21667 21cfd3 21665->21667 21669 21cf34 21665->21669 21666 21cfe1 21683 214723 RtlAllocateHeap ___std_exception_copy __Getctype 21666->21683 21667->21666 21667->21669 21672 21d017 std::locale::_Locimp::_Locimp 21667->21672 21674 2286ef SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap 21669->21674 21670 2155d3 4 API calls 21670->21672 21671 225f82 __fread_nolock RtlAllocateHeap 21671->21672 21672->21669 21672->21670 21672->21671 21673 22538b 4 API calls 21672->21673 21673->21672 21674->21657 21676 228612 21675->21676 21677 22863c 21676->21677 21678 225f82 __fread_nolock RtlAllocateHeap 21676->21678 21677->21661 21679 22862d 21678->21679 21680 230d44 __fread_nolock RtlAllocateHeap 21679->21680 21681 228633 21680->21681 21681->21661 21682->21660 21683->21669 21735 1329c0 RtlAllocateHeap 21686 193a40 21689 193a55 21686->21689 21687 193b28 GetPEB 21687->21689 21688 193a73 GetPEB 21688->21689 21689->21687 21689->21688 21690 193b9d Sleep 21689->21690 21691 193ae8 Sleep 21689->21691 21692 193bc7 21689->21692 21690->21689 21691->21689 21693 4c80911 GetCurrentHwProfileW 21734 132770 RtlAllocateHeap RtlAllocateHeap std::locale::_Locimp::_Locimp 21725 4c80827 GetCurrentHwProfileW GetCurrentHwProfileW GetCurrentHwProfileW GetCurrentHwProfileW 21726 1440e0 GetSystemTimePreciseAsFileTime __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __Xtime_get_ticks

                                  Executed Functions

                                  Function 00193A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 177 193a40-193a52 178 193a55-193a61 177->178 180 193b28-193b31 GetPEB 178->180 181 193a67-193a6d 178->181 182 193b34-193b48 180->182 181->180 183 193a73-193a7f GetPEB 181->183 184 193b99-193b9b 182->184 185 193b4a-193b4f 182->185 186 193a80-193a94 183->186 184->182 185->184 187 193b51-193b59 185->187 188 193ae4-193ae6 186->188 189 193a96-193a9b 186->189 190 193b60-193b73 187->190 188->186 189->188 191 193a9d-193aa3 189->191 192 193b92-193b97 190->192 193 193b75-193b88 190->193 194 193aa5-193ab8 191->194 192->184 192->190 193->193 195 193b8a-193b90 193->195 196 193aba 194->196 197 193add-193ae2 194->197 195->192 198 193b9d-193bc2 Sleep 195->198 199 193ac0-193ad3 196->199 197->188 197->194 198->178 199->199 200 193ad5-193adb 199->200 200->197 201 193ae8-193b0d Sleep 200->201 202 193b13-193b1a 201->202 202->180 203 193b1c-193b22 202->203 203->180 204 193bc7-193bd8 call 136bd0 203->204 207 193bda-193bdc 204->207 208 193bde 204->208 209 193be0-193bfd call 136bd0 207->209 208->209
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00193DB6), ref: 00193B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00193DB6), ref: 00193BBA
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 1dcbf5d2800823ad194629fb9a24eb22f16e685f2c51b7365056544888e8d80e
                                  • Instruction ID: 4c76ca5a7f84ae4f4d7845147b736a909d04ed86c72d2ec15f430ca1bafd9f90
                                  • Opcode Fuzzy Hash: 1dcbf5d2800823ad194629fb9a24eb22f16e685f2c51b7365056544888e8d80e
                                  • Instruction Fuzzy Hash: 08519935A042199FCF28CF58C8D0EAAB7B1EF45704F29859AD866AB351D731EE05CB90
                                  Function 0014E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 14e0a0-14e0d2 WSAStartup 1 14e1b7-14e1c0 0->1 2 14e0d8-14e102 call 136bd0 * 2 0->2 7 14e104-14e108 2->7 8 14e10e-14e165 2->8 7->1 7->8 10 14e167-14e16d 8->10 11 14e1b1 8->11 12 14e1c5-14e1cf 10->12 13 14e16f 10->13 11->1 12->11 17 14e1d1-14e1d9 12->17 14 14e175-14e189 socket 13->14 14->11 16 14e18b-14e19b connect 14->16 18 14e1c1 16->18 19 14e19d-14e1a5 closesocket 16->19 18->12 19->14 20 14e1a7-14e1b0 19->20 20->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 5f35a3adedce056c4ff9249d22e6f492589afc8ec05e70ece650ca2507e477e9
                                  • Instruction ID: adeeff08c63fbbb417fdb2fa28a702cfa3f19f447e4ec7487c7217e1cb2c1825
                                  • Opcode Fuzzy Hash: 5f35a3adedce056c4ff9249d22e6f492589afc8ec05e70ece650ca2507e477e9
                                  • Instruction Fuzzy Hash: 5231B0716443006FDB209F25DC89B2BB7E4FB85728F015F1DF9A8932E0D33198188B92
                                  Function 00214942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 214942-21494f 23 214951-214974 call 214723 22->23 24 214979-21498d call 225f82 22->24 31 214ae0-214ae2 23->31 29 214992-21499b call 21e11f 24->29 30 21498f 24->30 33 2149a0-2149af 29->33 30->29 34 2149b1 33->34 35 2149bf-2149c8 33->35 36 2149b7-2149b9 34->36 37 214a89-214a8e 34->37 38 2149ca-2149d7 35->38 39 2149dc-214a10 35->39 36->35 36->37 40 214ade-214adf 37->40 41 214adc 38->41 42 214a12-214a1c 39->42 43 214a6d-214a79 39->43 40->31 41->40 46 214a43-214a4f 42->46 47 214a1e-214a2a 42->47 44 214a90-214a93 43->44 45 214a7b-214a82 43->45 49 214a96-214a9e 44->49 45->37 46->44 48 214a51-214a6b call 214e59 46->48 47->46 50 214a2c-214a3e call 214cae 47->50 48->49 52 214aa0-214aa6 49->52 53 214ada 49->53 50->40 56 214aa8-214abc call 214ae3 52->56 57 214abe-214ac2 52->57 53->41 56->40 60 214ad5-214ad7 57->60 61 214ac4-214ad2 call 234a10 57->61 60->53 61->60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O!
                                  • API String ID: 0-3378388816
                                  • Opcode ID: 83cc3ab2b5d6dca641c8de62f5bd5ee9cf248633cb9d31bc2f04a505a21f77d4
                                  • Instruction ID: bc8382ed1db60b344367f1a6723a808a4882fe06e0946efc245a4d48ecb159e7
                                  • Opcode Fuzzy Hash: 83cc3ab2b5d6dca641c8de62f5bd5ee9cf248633cb9d31bc2f04a505a21f77d4
                                  • Instruction Fuzzy Hash: 80510670A10108AFCF10EF58CC95AEABBF1EF59324F258159F84D9B252D3719EA1CB90
                                  Function 00224623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 65 224623-224633 66 224635-224648 call 21d22c call 21d23f 65->66 67 22464d-22464f 65->67 81 2249a7 66->81 68 224655-22465b 67->68 69 22498f-22499c call 21d22c call 21d23f 67->69 68->69 71 224661-22468a 68->71 88 2249a2 call 2147a0 69->88 71->69 74 224690-224699 71->74 77 2246b3-2246b5 74->77 78 22469b-2246ae call 21d22c call 21d23f 74->78 84 22498b-22498d 77->84 85 2246bb-2246bf 77->85 78->88 86 2249aa-2249ad 81->86 84->86 85->84 89 2246c5-2246c9 85->89 88->81 89->78 92 2246cb-2246e2 89->92 94 224717-22471d 92->94 95 2246e4-2246e7 92->95 96 2246f1-224708 call 21d22c call 21d23f call 2147a0 94->96 97 22471f-224726 94->97 98 2246e9-2246ef 95->98 99 22470d-224715 95->99 127 2248c2 96->127 102 22472a-224748 call 226e2d call 226db3 * 2 97->102 103 224728 97->103 98->96 98->99 101 22478a-2247a9 99->101 105 224865-22486e call 230d44 101->105 106 2247af-2247bb 101->106 132 224765-224788 call 21e13d 102->132 133 22474a-224760 call 21d23f call 21d22c 102->133 103->102 117 224870-224882 105->117 118 2248df 105->118 106->105 110 2247c1-2247c3 106->110 110->105 114 2247c9-2247ea 110->114 114->105 119 2247ec-224802 114->119 117->118 122 224884-224893 117->122 123 2248e3-2248f9 ReadFile 118->123 119->105 124 224804-224806 119->124 122->118 141 224895-224899 122->141 128 224957-224962 123->128 129 2248fb-224901 123->129 124->105 130 224808-22482b 124->130 134 2248c5-2248cf call 226db3 127->134 149 224964-224976 call 21d23f call 21d22c 128->149 150 22497b-22497e 128->150 129->128 136 224903 129->136 130->105 131 22482d-224843 130->131 131->105 137 224845-224847 131->137 132->101 133->127 134->86 143 224906-224918 136->143 137->105 144 224849-224860 137->144 141->123 148 22489b-2248b3 141->148 143->134 151 22491a-22491e 143->151 144->105 170 2248d4-2248dd 148->170 171 2248b5-2248ba 148->171 149->127 152 224984-224986 150->152 153 2248bb-2248c1 call 21d1e5 150->153 156 224920-224930 call 224335 151->156 157 224937-224944 151->157 152->134 153->127 173 224933-224935 156->173 160 224950-224955 call 22417b 157->160 161 224946 call 22448c 157->161 174 22494b-22494e 160->174 161->174 170->143 171->153 173->134 174->173
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 048c09f7c77a036c8da469c426eccb95cea16dad930afcf5e3d7f7ca7f44f970
                                  • Instruction ID: dffcde181e33e76295df6f4ed6b8a738818961be263c64e2424f9f8aae5e213d
                                  • Opcode Fuzzy Hash: 048c09f7c77a036c8da469c426eccb95cea16dad930afcf5e3d7f7ca7f44f970
                                  • Instruction Fuzzy Hash: 62B12770A24266BFDB11EFE8F840BAEBBF1AF55304F144159E5509B282C7B09DA1CF51
                                  Function 04C80931 Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 212 4c80931-4c8094e 213 4c80950-4c80986 212->213 214 4c809c7-4c809c9 212->214 229 4c809d8-4c809df 213->229 230 4c80987-4c809ba 213->230 218 4c809d0-4c809d4 214->218 219 4c809e0-4c80a7c 218->219 233 4c80a8c-4c80aab GetCurrentHwProfileW 219->233 229->219 230->218 237 4c80ac1-4c80c57 233->237 256 4c80c5e-4c80c8c 237->256 257 4c80c59 call 4c80c63 237->257 259 4c80c8d-4c80cfd 256->259 257->256 264 4c80cff-4c80d00 259->264 265 4c80d22-4c80e4c call 4c80db5 259->265 264->259 266 4c80d02 264->266 266->265
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a7cc6e5d47c065c053357e565b4cb1415583c8db09447f230937b5cfcddcc126
                                  • Instruction ID: 494c0f48ec73d393f35a5d011d817af6658909a4d49cfac44e3e6f8bbb507f5e
                                  • Opcode Fuzzy Hash: a7cc6e5d47c065c053357e565b4cb1415583c8db09447f230937b5cfcddcc126
                                  • Instruction Fuzzy Hash: 4C51A4BB34D150BDB102A6836B10AFB67BFE6D2738B36847EF403D6106E6941E4D6131
                                  Function 04C80911 Relevance: 1.8, APIs: 1, Instructions: 286COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 280 4c80911-4c80986 287 4c809d8-4c809df 280->287 288 4c80987-4c809d4 280->288 289 4c809e0-4c80a7c 287->289 288->289 300 4c80a8c-4c80aab GetCurrentHwProfileW 289->300 302 4c80ac1-4c80c57 300->302 321 4c80c5e-4c80c8c 302->321 322 4c80c59 call 4c80c63 302->322 324 4c80c8d-4c80cfd 321->324 322->321 329 4c80cff-4c80d00 324->329 330 4c80d22-4c80e4c call 4c80db5 324->330 329->324 331 4c80d02 329->331 331->330
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 653e7c8d7ca781e5fc07986af7ae203e0714088d5628791b53caebf5addd8c47
                                  • Instruction ID: 5e19eeda46cbff0c967c2a20e7371c3100bf9475896bc0978942ea529126e984
                                  • Opcode Fuzzy Hash: 653e7c8d7ca781e5fc07986af7ae203e0714088d5628791b53caebf5addd8c47
                                  • Instruction Fuzzy Hash: 88517EEB34D111BDB112A5832B20AFB56AFE6D2778F36847AF407D2502F7942A8D7131
                                  Function 04C808BD Relevance: 1.8, APIs: 1, Instructions: 280COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 345 4c808bd-4c808dd call 4c808e5 349 4c808df 345->349 350 4c80952-4c80986 345->350 356 4c809d8-4c809df 350->356 357 4c80987-4c809d4 350->357 358 4c809e0-4c80a7c 356->358 357->358 369 4c80a8c-4c80aab GetCurrentHwProfileW 358->369 371 4c80ac1-4c80c57 369->371 390 4c80c5e-4c80c8c 371->390 391 4c80c59 call 4c80c63 371->391 393 4c80c8d-4c80cfd 390->393 391->390 398 4c80cff-4c80d00 393->398 399 4c80d22-4c80e4c call 4c80db5 393->399 398->393 400 4c80d02 398->400 400->399
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: df054ec7d84b480286c57bcf8005c470e1e79e14f20a4ddcd32955d488504a61
                                  • Instruction ID: b039f6bab2b9d5383fe85842537d0b92d5581b1dca35e8dc00b6ae170ad6add3
                                  • Opcode Fuzzy Hash: df054ec7d84b480286c57bcf8005c470e1e79e14f20a4ddcd32955d488504a61
                                  • Instruction Fuzzy Hash: B2517FEB34D111BDB102A5832B20AFA57AFD6D2778B36847EF403D6102F6942A4D7131
                                  Function 04C8091F Relevance: 1.8, APIs: 1, Instructions: 278COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 414 4c8091f-4c80986 421 4c809d8-4c809df 414->421 422 4c80987-4c809d4 414->422 423 4c809e0-4c80a7c 421->423 422->423 434 4c80a8c-4c80aab GetCurrentHwProfileW 423->434 436 4c80ac1-4c80c57 434->436 455 4c80c5e-4c80c8c 436->455 456 4c80c59 call 4c80c63 436->456 458 4c80c8d-4c80cfd 455->458 456->455 463 4c80cff-4c80d00 458->463 464 4c80d22-4c80e4c call 4c80db5 458->464 463->458 465 4c80d02 463->465 465->464
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 3da7560770d1b02cff79ab5639cef24e19be002fa5439c891bae710abe54a1db
                                  • Instruction ID: c4d0996b8c94837e26b81467ca4bb34ac2829e827c8adfb87b5417e25fd13ccd
                                  • Opcode Fuzzy Hash: 3da7560770d1b02cff79ab5639cef24e19be002fa5439c891bae710abe54a1db
                                  • Instruction Fuzzy Hash: B0517EEB34D121BDB102A5832B20AFB56AFE6D2778B36847EF403D1506F6942E4D7131
                                  Function 04C808EF Relevance: 1.8, APIs: 1, Instructions: 269COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 479 4c808ef-4c808fa 480 4c808fc-4c80910 call 4c8091f 479->480 481 4c80974-4c80986 479->481 487 4c809d8-4c809df 481->487 488 4c80987-4c809d4 481->488 489 4c809e0-4c80a7c 487->489 488->489 500 4c80a8c-4c80aab GetCurrentHwProfileW 489->500 502 4c80ac1-4c80c57 500->502 521 4c80c5e-4c80c8c 502->521 522 4c80c59 call 4c80c63 502->522 524 4c80c8d-4c80cfd 521->524 522->521 529 4c80cff-4c80d00 524->529 530 4c80d22-4c80e4c call 4c80db5 524->530 529->524 531 4c80d02 529->531 531->530
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d59da38796be4b5d302419c63994bcd42a3a62119151d8a7ae92629261498dcc
                                  • Instruction ID: 423a34e118bf8843744baa63330ca62e5bbd9fbe3b81238391f2d51cd564dce1
                                  • Opcode Fuzzy Hash: d59da38796be4b5d302419c63994bcd42a3a62119151d8a7ae92629261498dcc
                                  • Instruction Fuzzy Hash: 1851C5AB34D211BDF212A5932B10AFA67AFD6D2738F3A847EF403D5102F6941E4D6131
                                  Function 04C809BF Relevance: 1.8, APIs: 1, Instructions: 253COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 545 4c809bf-4c809c8 546 4c809ca-4c809cb 545->546 547 4c8098d-4c809ba 545->547 549 4c8098b 546->549 550 4c809cd-4c809cf 546->550 552 4c809d0-4c80a7c 547->552 549->547 550->552 560 4c80a8c-4c80aab GetCurrentHwProfileW 552->560 562 4c80ac1-4c80c57 560->562 581 4c80c5e-4c80c8c 562->581 582 4c80c59 call 4c80c63 562->582 584 4c80c8d-4c80cfd 581->584 582->581 589 4c80cff-4c80d00 584->589 590 4c80d22-4c80e4c call 4c80db5 584->590 589->584 591 4c80d02 589->591 591->590
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7e68010b0cf8b8ea517296a744241a003c767b0a69cd69ed666a3f89e614114f
                                  • Instruction ID: d13243a81576fabb19a2c4c7082dacb140f0e93909847d819f849176755f9e56
                                  • Opcode Fuzzy Hash: 7e68010b0cf8b8ea517296a744241a003c767b0a69cd69ed666a3f89e614114f
                                  • Instruction Fuzzy Hash: 2D51C4BB30D225BDB102A5836B10AFA57AFE6D2778F36847EF403D6102F6946E4D6131
                                  Function 04C8098E Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 605 4c8098e-4c80a7c 616 4c80a8c-4c80aab GetCurrentHwProfileW 605->616 618 4c80ac1-4c80c57 616->618 637 4c80c5e-4c80c8c 618->637 638 4c80c59 call 4c80c63 618->638 640 4c80c8d-4c80cfd 637->640 638->637 645 4c80cff-4c80d00 640->645 646 4c80d22-4c80e4c call 4c80db5 640->646 645->640 647 4c80d02 645->647 647->646
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 1bff30909e58d0a893997982517dceea9f869a8d00636355ba7c4aa5ae6f980c
                                  • Instruction ID: 24f2c4f143bf7992a3cf42617b7be777ef729c3c388cd06813b281ec5bf043ca
                                  • Opcode Fuzzy Hash: 1bff30909e58d0a893997982517dceea9f869a8d00636355ba7c4aa5ae6f980c
                                  • Instruction Fuzzy Hash: A441A0EB34D115BDB112A5832B20AFA56AFD6D6778F36847AF403D2102F6D41E8D7131
                                  Function 04C809A1 Relevance: 1.7, APIs: 1, Instructions: 239COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 661 4c809a1-4c80a7c 672 4c80a8c-4c80aab GetCurrentHwProfileW 661->672 674 4c80ac1-4c80c57 672->674 693 4c80c5e-4c80c8c 674->693 694 4c80c59 call 4c80c63 674->694 696 4c80c8d-4c80cfd 693->696 694->693 701 4c80cff-4c80d00 696->701 702 4c80d22-4c80e4c call 4c80db5 696->702 701->696 703 4c80d02 701->703 703->702
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 363410116ae3ad85bfb3f50c9a3993a4e6e6492dd6221b89ac53115fc66d7c60
                                  • Instruction ID: 0dd8e2381007e855ab2e2d1897ec09a5c3c847e3a0332d2ae72bfc71c1d6cfd4
                                  • Opcode Fuzzy Hash: 363410116ae3ad85bfb3f50c9a3993a4e6e6492dd6221b89ac53115fc66d7c60
                                  • Instruction Fuzzy Hash: F941A0BB34D225BDB112A5832B20AFA56AFD6D6778F36847AF403D2102F6D41E4D7131
                                  Function 04C809AD Relevance: 1.7, APIs: 1, Instructions: 234COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 717 4c809ad-4c80a7c 726 4c80a8c-4c80aab GetCurrentHwProfileW 717->726 728 4c80ac1-4c80c57 726->728 747 4c80c5e-4c80c8c 728->747 748 4c80c59 call 4c80c63 728->748 750 4c80c8d-4c80cfd 747->750 748->747 755 4c80cff-4c80d00 750->755 756 4c80d22-4c80e4c call 4c80db5 750->756 755->750 757 4c80d02 755->757 757->756
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f59c53122800ee80912fd647bd94bdc0e8c29a378f4abbdeae0a45b4cacc40b7
                                  • Instruction ID: 6340578a35770ce09e060d1c9e379ea2a25659172186cff5bdb35038d5ead9b7
                                  • Opcode Fuzzy Hash: f59c53122800ee80912fd647bd94bdc0e8c29a378f4abbdeae0a45b4cacc40b7
                                  • Instruction Fuzzy Hash: 17419FEB34D215BDB112A5832B10AFA66AFE6D6778F36847AF403D2102F6D41E4D7131
                                  Function 0013A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 771 13a210-13a2ab call 20f290 call 132ae0 776 13a2b0-13a2bb 771->776 776->776 777 13a2bd-13a2c8 776->777 778 13a2ca 777->778 779 13a2cd-13a2de call 215362 777->779 778->779 782 13a351-13a357 779->782 783 13a2e0-13a305 call 219136 call 214eeb call 219136 779->783 785 13a381-13a393 782->785 786 13a359-13a365 782->786 801 13a307 783->801 802 13a30c-13a316 783->802 788 13a377-13a37e call 20f511 786->788 789 13a367-13a375 786->789 788->785 789->788 792 13a394-13a3ae call 2147b0 789->792 798 13a3b0-13a3bb 792->798 798->798 800 13a3bd-13a3c8 798->800 805 13a3ca 800->805 806 13a3cd-13a3df call 215362 800->806 801->802 803 13a328-13a32f call 19cf60 802->803 804 13a318-13a31c 802->804 811 13a334-13a33a 803->811 807 13a320-13a326 804->807 808 13a31e 804->808 805->806 815 13a3e1-13a3f9 call 219136 call 214eeb call 218be8 806->815 816 13a3fc-13a403 806->816 807->811 808->807 813 13a33e-13a349 call 21dbdf call 218be8 811->813 814 13a33c 811->814 832 13a34e 813->832 814->813 815->816 817 13a405-13a411 816->817 818 13a42d-13a433 816->818 821 13a423-13a42a call 20f511 817->821 822 13a413-13a421 817->822 821->818 822->821 825 13a434-13a45e call 2147b0 822->825 838 13a460-13a464 825->838 839 13a46f-13a474 825->839 832->782 838->839 840 13a466-13a46e 838->840
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 092a03b920dedef74d3f1ecb313006ddb561323ab2b11039c37ab5c73cde540d
                                  • Instruction ID: 9768a6f726e0a21228e59e669dd0cbca655b2040ac02597b5d6dad6402b4f5b6
                                  • Opcode Fuzzy Hash: 092a03b920dedef74d3f1ecb313006ddb561323ab2b11039c37ab5c73cde540d
                                  • Instruction Fuzzy Hash: 6E715A71900204AFDB14DF68CC49BAFB7E8EF41300F60456DF8499B682D7B5DA81CB91
                                  Function 04C809E7 Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 841 4c809e7-4c80a7c 847 4c80a8c-4c80aab GetCurrentHwProfileW 841->847 849 4c80ac1-4c80c57 847->849 868 4c80c5e-4c80c8c 849->868 869 4c80c59 call 4c80c63 849->869 871 4c80c8d-4c80cfd 868->871 869->868 876 4c80cff-4c80d00 871->876 877 4c80d22-4c80e4c call 4c80db5 871->877 876->871 878 4c80d02 876->878 878->877
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6f2db42ddb975eae74388bc1a2279a6ca9fe1a689a48752cc00f33ac60107bb4
                                  • Instruction ID: caab940e3300a433050ec09e976150fd440ab1437acf357fe2a55e16080c9a7b
                                  • Opcode Fuzzy Hash: 6f2db42ddb975eae74388bc1a2279a6ca9fe1a689a48752cc00f33ac60107bb4
                                  • Instruction Fuzzy Hash: 9441A0EB34D224BDB112A5832B10AF666AFE6D2778B36847AF403D6502F6D41E4D7131
                                  Function 04C809FD Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2eedf0ddd88d71b1d0fde34200310fb7a04a1b2004fe2c9afa24b47a186e88be
                                  • Instruction ID: 96946b15e2b6a143cb401b760966fd84c59780a9c5ec3c4148071678dfc39c8e
                                  • Opcode Fuzzy Hash: 2eedf0ddd88d71b1d0fde34200310fb7a04a1b2004fe2c9afa24b47a186e88be
                                  • Instruction Fuzzy Hash: 8341B1FB34C215BDB112A5832B10AF666AFE6D2678B36847EF403D2102F6D45E4D6131
                                  Function 04C80A34 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e6ecd4e54a04ad1112b650e7498756bbc7319946bcfdf3a0a390c8c43192b385
                                  • Instruction ID: c445054d8e0bd40815eb1fd6e2b78a1530050fef685c0630dc36c58badeb843f
                                  • Opcode Fuzzy Hash: e6ecd4e54a04ad1112b650e7498756bbc7319946bcfdf3a0a390c8c43192b385
                                  • Instruction Fuzzy Hash: 3E4192EB34D214BDB112A5832B20AFB56AFE6D6778B36847EF403D2102F6D41E4D6132
                                  Function 04C80A25 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: c0e00de71c027d6e0ffda6f9f03ada3761001c63bc6a1d0ee37834c705f8a301
                                  • Instruction ID: 5753b99072838ab1a73b11f8df2714705823d2c11b5369c313236e4dff1ab72d
                                  • Opcode Fuzzy Hash: c0e00de71c027d6e0ffda6f9f03ada3761001c63bc6a1d0ee37834c705f8a301
                                  • Instruction Fuzzy Hash: 214191EB34D214BDB112A5832B20AF756AFE6D6778B36847AF403D2502F6D41E4D7132
                                  Function 04C80AC8 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 35ca1a510ce9d4e7a289df373f640b1750ce93d9f7247f6c6a828ae6e146430a
                                  • Instruction ID: a53acbfcd2cfbfe0b3bbd5807afa7198336923731ec7b8a19d28f962695aa485
                                  • Opcode Fuzzy Hash: 35ca1a510ce9d4e7a289df373f640b1750ce93d9f7247f6c6a828ae6e146430a
                                  • Instruction Fuzzy Hash: 5141D4EB34D214BDB112A5832B20AF757AFD6D6778B36847AF803D6102F6C45E4D6132
                                  Function 0022549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00219087,?,00000000,00000000,00000000,?,00000000,?,0013A3EB,00219087,00000000,0013A3EB,?,?), ref: 00225621
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: e586226c977434460eceb83fdf1c17f3ad53128d8fbb749f073634473127e9a4
                                  • Instruction ID: d030150fa8878a1c992140c8ae8fdd7131c3c373811f8d1dfb2eb0138d7b40e9
                                  • Opcode Fuzzy Hash: e586226c977434460eceb83fdf1c17f3ad53128d8fbb749f073634473127e9a4
                                  • Instruction Fuzzy Hash: 4E619E7192053ABFDF119FE8E884AFEBBBAAF09304F548145E804A7215D375D961CBA0
                                  Function 04C80A6A Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7b963bf3e8a210d71cd8d9dd3e9d61f3f99f304a0a1f7754ed9aeae9778bc81f
                                  • Instruction ID: 466024557445fb8f9b10705c32bc93dcbc8b51e8a9e01fa5fc7e1c4fbefc1f42
                                  • Opcode Fuzzy Hash: 7b963bf3e8a210d71cd8d9dd3e9d61f3f99f304a0a1f7754ed9aeae9778bc81f
                                  • Instruction Fuzzy Hash: F731A2FB34D214BDB112A5832B20AFB56AED6D6778B36847AF803D6102F6C51E4D6032
                                  Function 04C80A82 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d92ef6da152c721decd819d0c10f6c0e45eddc8fd6a3676038815bcf35345d9e
                                  • Instruction ID: f2cb4d72eb5072b1fc8ab946c5305b44e8fa951a7fb34293d1c3d48b103a48c0
                                  • Opcode Fuzzy Hash: d92ef6da152c721decd819d0c10f6c0e45eddc8fd6a3676038815bcf35345d9e
                                  • Instruction Fuzzy Hash: 4B31B1FB349210BDB112A5832B10EFB67AEE6D2738B36847AF803D1102F7D41A4D6032
                                  Function 04C80AA0 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C80AA6
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505605801.0000000004C80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c80000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 85c7472d6651f00c2432a9d20aa876b190d5c9a92c0768f1f39b4af42dc1c28b
                                  • Instruction ID: 064b508bb90bc95b306579c52198d27f0afbe287f76161d624440fba3cf8f09e
                                  • Opcode Fuzzy Hash: 85c7472d6651f00c2432a9d20aa876b190d5c9a92c0768f1f39b4af42dc1c28b
                                  • Instruction Fuzzy Hash: FD318FFB30D115BDB111A5832B20AFB53AED6D6778B36846AF803C1102E7C45A4D6132
                                  Function 001A0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001A06AE
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 20c88e65975a37eeb0c4c1df0e4a1fee91b35dcac9ad282aa7b3478fbba802d0
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: F141D476A001149FCB16EF68DD805AE7BE5AF8A350F150169FC09DB342D730DE618BE1
                                  Function 00224B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002249F9,00000000,CF830579,00261140,0000000C,00224AB5,00218BBD,?), ref: 00224B68
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 4abc29a2526f635204b834adaea4fdbe63365086a98b3edbb8069f7bad29cf44
                                  • Instruction ID: 329ca5d849f215c7ac4f1408e92a291664dac5c458c77b590d3332545488cb9f
                                  • Opcode Fuzzy Hash: 4abc29a2526f635204b834adaea4fdbe63365086a98b3edbb8069f7bad29cf44
                                  • Instruction Fuzzy Hash: C1114833E7413477DA247AF57805B7E67898B8277CF29028AF8188B0C2EFA0DC614995
                                  Function 0021E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00260DF8,0013A3EB,00000002,0013A3EB,00000000,?,?,?,0021E166,00000000,?,0013A3EB,00000002,00260DF8), ref: 0021E098
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: ccc41eae3fc23aaaa5e6beacec14c0bbb4a49b32530cd061a184890022412181
                                  • Instruction ID: 30e2848e8090a8a4f5277f2abf273663a095f0c2eafe3b1d29f99fe9d5ec9b6a
                                  • Opcode Fuzzy Hash: ccc41eae3fc23aaaa5e6beacec14c0bbb4a49b32530cd061a184890022412181
                                  • Instruction Fuzzy Hash: 74012B32620515AFCF159F55CC05DDE3B69DB95324F250248FC50A7191EAB2EDA18BD0
                                  Function 0020F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0013220E
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 0647994880ecef6210d877e75e65b0a585e2c277952343184b95ebfeb14f2cce
                                  • Instruction ID: c6e3883adea6c022a6bf92facde348416d3fdcb6b4dc74f47bc47e5833cc709b
                                  • Opcode Fuzzy Hash: 0647994880ecef6210d877e75e65b0a585e2c277952343184b95ebfeb14f2cce
                                  • Instruction Fuzzy Hash: FD012B7541430DABCB24AFA8E80299977ECDE00350F444435FE18DB991EB70E9B08B90
                                  Function 002263F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,002191F7,00000000,?,00225D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0021D244,002189C3,002191F7,00000000), ref: 00226435
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 2513f8af59330f029d094f8e28391110bd1c1c834acfcb37ddfd242724e4bafe
                                  • Instruction ID: 3b365ced88c0823027b8e8210ddf851a2f31dffa08907f1f78a4aad009e11927
                                  • Opcode Fuzzy Hash: 2513f8af59330f029d094f8e28391110bd1c1c834acfcb37ddfd242724e4bafe
                                  • Instruction Fuzzy Hash: 32F05433535135B69B317FE2BD0AB5B7B499B81764B158061EC84A6580CB70E831C6F1
                                  Function 00226E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0022D635,4D88C033,?,0022D635,00000220,?,002257EF,4D88C033), ref: 00226E5F
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 7d0b49c685767e6bacb3b0b687675bd4f68284e86307abb4a5bc35eb4a92fce1
                                  • Instruction ID: d76b6d418d057d1d8407c2058c898887e50c111e198e108b481187da03de78b9
                                  • Opcode Fuzzy Hash: 7d0b49c685767e6bacb3b0b687675bd4f68284e86307abb4a5bc35eb4a92fce1
                                  • Instruction Fuzzy Hash: 6BE0E53B171532B6DA312AE5FD09F5B76888B917A0F270120FC50924D1CB60CC3045A4
                                  Function 04C9018D Relevance: 1.4, Strings: 1, Instructions: 174COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: @lFs
                                  • API String ID: 0-2494725472
                                  • Opcode ID: 530bb552cf4fdb0069f74a8d04bd3c63fffcf4eee88e3b5103c21398d947fd22
                                  • Instruction ID: 46ea3ffe845c724023717eca9281c4abf9d7f06315abe99e4f4a039864402b4c
                                  • Opcode Fuzzy Hash: 530bb552cf4fdb0069f74a8d04bd3c63fffcf4eee88e3b5103c21398d947fd22
                                  • Instruction Fuzzy Hash: CB3196FB24C1557D755295932B18DF76BAEE6C2B30334C42BF803D5542E2995E4E3131
                                  Function 04C901B0 Relevance: .2, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 421fad94f924f8737e472eff1731a25a12ff0ba4e7d220e2b88bfb71bf0f2571
                                  • Instruction ID: a4d1d4989789934a14f586364c6964a800716d98f7f6b020af580e0481466374
                                  • Opcode Fuzzy Hash: 421fad94f924f8737e472eff1731a25a12ff0ba4e7d220e2b88bfb71bf0f2571
                                  • Instruction Fuzzy Hash: 173130EB64C1657DB54295832B28EFB6BAEE6C2B70334C42BF803D1542E2981E5D3132
                                  Function 04C901E1 Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9cf5fb9c83489af29df8c0829a10323c18756920f4d2d670cbc362f6b7f7f291
                                  • Instruction ID: cdbf8ad0859d763c27eca6cfaf8e0574f4465576f66d0947270003dd5df6bd63
                                  • Opcode Fuzzy Hash: 9cf5fb9c83489af29df8c0829a10323c18756920f4d2d670cbc362f6b7f7f291
                                  • Instruction Fuzzy Hash: 0E2180EB64C165BDB94195532B2CAFB6BAEE7C2730338842BF803C1542E2985E4D3132
                                  Function 04C901FF Relevance: .1, Instructions: 129COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95d456848390d09c6988ee2f1643d7f7551cc43c7bdb367aca1d0d0628c1be66
                                  • Instruction ID: 0a5010903e2ab6ca6f3c4c2db5d902298a9c0ed535333d0543907d4d97ee26b5
                                  • Opcode Fuzzy Hash: 95d456848390d09c6988ee2f1643d7f7551cc43c7bdb367aca1d0d0628c1be66
                                  • Instruction Fuzzy Hash: 912150EB64C5657DB54191833F28AFB6BAEE6C2B30334C42BF843C1542E2995E4D3131
                                  Function 04C9020C Relevance: .1, Instructions: 125COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a12fdae72f5a455646b225cdc58958d41ad89e4ea13becb840e5d558c9f155dc
                                  • Instruction ID: 223c08a6b62c9323217505033de9893a2bf64ccd3d41d1925e6be4e4bd3d3e60
                                  • Opcode Fuzzy Hash: a12fdae72f5a455646b225cdc58958d41ad89e4ea13becb840e5d558c9f155dc
                                  • Instruction Fuzzy Hash: 782180EB60C1657DB94695436B28AFBABAEE6D2B30338C42BF443C1502E2995E4D3131
                                  Function 04C90225 Relevance: .1, Instructions: 119COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0cac5a25f465a75153dba91856481fd1534cdb010eb6774f4b57a2376ce8223c
                                  • Instruction ID: 9605d8149f217c8a78d0cefc16abe832f773667b0ca0275d79305e783153fc91
                                  • Opcode Fuzzy Hash: 0cac5a25f465a75153dba91856481fd1534cdb010eb6774f4b57a2376ce8223c
                                  • Instruction Fuzzy Hash: 30111CEB20C1217DB54290837F28AFB6BAEE6D2B30335C427F847C5502E2985E4D3172
                                  Function 04C902B4 Relevance: .1, Instructions: 111COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6601f2b13d24a0aea03d3491e6a21001fe637d349ba50308226f08f1351c328b
                                  • Instruction ID: 73e3fa23a6ec3ef9b8d6dcbee0e1d7d0bd5740a5c04c2570067a2f0afbb14dbd
                                  • Opcode Fuzzy Hash: 6601f2b13d24a0aea03d3491e6a21001fe637d349ba50308226f08f1351c328b
                                  • Instruction Fuzzy Hash: CB112BEB24C5517DBA4195837F28EFB67AEE6D6B30335C42BF802C5406E2981E4E2031
                                  Function 04C9023F Relevance: .1, Instructions: 110COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6ef432ba63d72c970f9c89ba6765e245cd82036b203b6d6c5a2079e45461e2a6
                                  • Instruction ID: 1578fa6cfb8deb1a2414242cbb34e1a6f2f8bfb028ef988433711680cdb74acd
                                  • Opcode Fuzzy Hash: 6ef432ba63d72c970f9c89ba6765e245cd82036b203b6d6c5a2079e45461e2a6
                                  • Instruction Fuzzy Hash: 22113AFB24C1257DB54191833F28AFAA7AEE6D2B30335C42BF803C5402E2981E4D3171
                                  Function 04C9024F Relevance: .1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b066dc2e74441ddce6b947c394f82e09be04b61a7f0f2adf8d98896f44905b63
                                  • Instruction ID: 0368ccf402a82f4b28388fcc1dc10aa02ff1a11b9265fbe558d2e1978418834b
                                  • Opcode Fuzzy Hash: b066dc2e74441ddce6b947c394f82e09be04b61a7f0f2adf8d98896f44905b63
                                  • Instruction Fuzzy Hash: 45110AEB24C1657DB54295833F28DFB67BEE6D2B30335C82BF802C5402E2981E4E2171
                                  Function 04C90265 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1741056122df57eabd6be4323cf546c5a29bc8ef8ecf06049a97b4ae0adbc398
                                  • Instruction ID: 29ca9442817280eee434352a4ba96f5f9fb5261b6dd4cdec403e41f70034fd42
                                  • Opcode Fuzzy Hash: 1741056122df57eabd6be4323cf546c5a29bc8ef8ecf06049a97b4ae0adbc398
                                  • Instruction Fuzzy Hash: 24110CEB24C1517DB54291433F28DFA57AEE6D2B30335C86BF843C5406E2995E4E3131
                                  Function 04C9029E Relevance: .1, Instructions: 64COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4505685874.0000000004C90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c90000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2afc77a754f5ca5ea6203e593737f9309f3c36b3df2c0dadad245b79a4b072df
                                  • Instruction ID: 5ff285b6e7bc9a78c856492ead288d043c28d0799ac7b914ab3315e0e8d5c38c
                                  • Opcode Fuzzy Hash: 2afc77a754f5ca5ea6203e593737f9309f3c36b3df2c0dadad245b79a4b072df
                                  • Instruction Fuzzy Hash: 54F062EB64C1117EA54190932B2CAFA5BBEF6D2B30379C86BF443C5001F2885E4E3171

                                  Non-executed Functions

                                  Function 002184A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: bde0113280cfbda9c95275b2583dce71ed5cd7b5b2f1ff4133e380229173fa05
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 4D025B71E1121A9BDF14CFA8C8C06EEFBF5FF58314F258269D919A7380DB31A9518B90
                                  Function 0019F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0019FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"%
                                  • API String ID: 3375549084-2785405677
                                  • Opcode ID: 4a54bf5f6e3152a018bb00732e1ad6b7508442f0a4e6be0fa36ab11bad9f5f2d
                                  • Instruction ID: ee9b7f4059d942a84a4923003dc0c330985f7655f3f5f0108cb6b216cd744a21
                                  • Opcode Fuzzy Hash: 4a54bf5f6e3152a018bb00732e1ad6b7508442f0a4e6be0fa36ab11bad9f5f2d
                                  • Instruction Fuzzy Hash: 0F617CB1D10208EBEF10DFA4D849B9EBBF4AF14714F184468E805E7381E775AD56CB91
                                  Function 00212E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00212E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00212E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00212ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00212F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00212F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i&$csm
                                  • API String ID: 1170836740-3583052009
                                  • Opcode ID: 502c7fd2cc1b6305c62e736f76ed96174aa6e38b662974a43a9185f2d4dd9457
                                  • Instruction ID: 7f0d160eddc657807d555fb2c4130da08c0cff65e6a9c9554e2eb7bae3c02c9b
                                  • Opcode Fuzzy Hash: 502c7fd2cc1b6305c62e736f76ed96174aa6e38b662974a43a9185f2d4dd9457
                                  • Instruction Fuzzy Hash: B3419230A20209DBCF10DF68D885ADEBBF5EF55324F148055F9149B292D732EAB9CB91
                                  Function 001339F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00133A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00133AA4
                                  • __Getctype.LIBCPMT ref: 00133ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00133AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00133B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 39bd3b24db54c8945a5bd8bbaffa1dc1c88ce69294c0efdb10762d82777e3811
                                  • Instruction ID: 60b0b95d657660890123011f12d31e36870daadeb48752eb23c3c8ce6cd24115
                                  • Opcode Fuzzy Hash: 39bd3b24db54c8945a5bd8bbaffa1dc1c88ce69294c0efdb10762d82777e3811
                                  • Instruction Fuzzy Hash: F3513CB1D00348DBEF10DFA4D845B9EFBB8AF14310F144069E809AB382E775DA58CBA5
                                  Function 0019DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0019DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0019DF7B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: db6ba1707d3abd9644993d4242b9ed1c54b2dd77ded878fd3753c344aa5ea57b
                                  • Instruction ID: 5bbc7e19c18dc5cbb7f804ee8bc3cc3c85cc3a2ec7f3de1f221a2ef33f8ba2f8
                                  • Opcode Fuzzy Hash: db6ba1707d3abd9644993d4242b9ed1c54b2dd77ded878fd3753c344aa5ea57b
                                  • Instruction Fuzzy Hash: C4412672910219DFCF14DF94E986A6EBBB4FB10720F148268E8156B392D770AD11CBD1
                                  Function 00134C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00134F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00134FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001350C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 0013504C
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: aa329517829dd043ed5df8be018229e123097f1a4f8f567f8a8a5bda6c51010f
                                  • Instruction ID: 253f524e4b1548819be38e26e859700b79edce99598856a978eeba78fb40dec4
                                  • Opcode Fuzzy Hash: aa329517829dd043ed5df8be018229e123097f1a4f8f567f8a8a5bda6c51010f
                                  • Instruction Fuzzy Hash: 4AE1E2B19106049FCB28DF68D845BAEBBF9FF44300F148A2DE45693B81E774B954CBA1
                                  Function 00137820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0013799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00137B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 540c24e0f071101a32b1eca3f3cc57115b9605288b9a43b435352324834673d2
                                  • Instruction ID: 0873fba22ab0ce2be53dfb639add407632513e482b25baa43b04831e90967bc9
                                  • Opcode Fuzzy Hash: 540c24e0f071101a32b1eca3f3cc57115b9605288b9a43b435352324834673d2
                                  • Instruction Fuzzy Hash: C7C157B19002089FDB18CFA8D984B9DFBF5FF49310F14866AE419EB781E774A984CB54
                                  Function 00132270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00132275
                                    • Part of subcall function 0020D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0020D6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L&$L&
                                  • API String ID: 1997705970-2440114816
                                  • Opcode ID: caede21bbe6da2d8325baf246a4404f57dd146b58e2bb040046a6ae201ebde9e
                                  • Instruction ID: 5b3de2f90b9657f3117d96fcc1dd6357183e1885e244b762af2c0565347044f0
                                  • Opcode Fuzzy Hash: caede21bbe6da2d8325baf246a4404f57dd146b58e2bb040046a6ae201ebde9e
                                  • Instruction Fuzzy Hash: 9A811275A042899FDB06DF68C460BEEBFF1FF6A300F18416AC894A7782C3758545CBA1
                                  Function 001373B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001375BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001375CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 95248feb7ad489353458c012df0ff6237a5906c97576e95e4986a57363183d99
                                  • Instruction ID: e713cffd93a8342dc265857860f14b9b779d03d1872c0bdf27575f4e9eea48ee
                                  • Opcode Fuzzy Hash: 95248feb7ad489353458c012df0ff6237a5906c97576e95e4986a57363183d99
                                  • Instruction Fuzzy Hash: 2061E1B0A002049FDB1CDF68DC94BADBBB6FF45300F244628E415A7BC2D774AA948B91
                                  Function 00133D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00133E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 64febd75ea1defa470ad7b3011e45b44c48d1f549c5fe142f83530c4ebef8e78
                                  • Instruction ID: 2d5e31264e3a3d13f64ec59032cca74881ff3375f8c859c39f11909fe2193e10
                                  • Opcode Fuzzy Hash: 64febd75ea1defa470ad7b3011e45b44c48d1f549c5fe142f83530c4ebef8e78
                                  • Instruction Fuzzy Hash: 4841E5B2900208AFCB04DF58D845BEEB7F8EF49310F14852AF929D7741E770AA518BA4
                                  Function 00133DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00133E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 2a08587c746d88124f316b24918324e75a92d8b8ac6f7c870d5a50c47ae9d4a3
                                  • Instruction ID: cc3c1446fa671a292058142bfe81be661c9c41c6035c3aacaf34c4e00ddd5208
                                  • Opcode Fuzzy Hash: 2a08587c746d88124f316b24918324e75a92d8b8ac6f7c870d5a50c47ae9d4a3
                                  • Instruction Fuzzy Hash: 0B212BB2910304AFC714DF58D805B96B7DCAB15310F08883AFE78C7641E770EA64CB94
                                  Function 00136F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00137340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: c8476df3bccb410aaeb4ff1cc796e1777eb874f8314be004736b49cc16b15b32
                                  • Instruction ID: ef308799dead33717b3887087c51cdcc24be091f2186bd8655a685de9c041b42
                                  • Opcode Fuzzy Hash: c8476df3bccb410aaeb4ff1cc796e1777eb874f8314be004736b49cc16b15b32
                                  • Instruction Fuzzy Hash: 2CE16EB19042488FDB18CF68C994BADBBF1FF49300F248269E418EB792D7749A85CF51
                                  Function 00136C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00136F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00136F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: d17a50bc521287bf69b06eb3116490c74b242475790006aead737d8738004055
                                  • Instruction ID: 39e1b33da134756bc4e5c3fb801c1326f2bee5662c519cc35e6b94a182fde5f8
                                  • Opcode Fuzzy Hash: d17a50bc521287bf69b06eb3116490c74b242475790006aead737d8738004055
                                  • Instruction Fuzzy Hash: 4391D470A002049FDB18CF68D994BAEBBF6FF45300F20866CE459AB792D775A985CB50
                                  Function 001AE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001AE491
                                  Strings
                                  • type must be string, but is , xrefs: 001AE4F8
                                  • type must be boolean, but is , xrefs: 001AE582
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.4496594215.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 00000008.00000002.4496437825.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496594215.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4496988803.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4497056945.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498123126.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.4498472050.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: ada7ecae50ea3af7e7b299258ca7013531d35b153ffce0ec69130373915f08c8
                                  • Instruction ID: 50c3bfae8fa7e8564c86067a1522744ef176f232a6406315d3c94f091652707f
                                  • Opcode Fuzzy Hash: ada7ecae50ea3af7e7b299258ca7013531d35b153ffce0ec69130373915f08c8
                                  • Instruction Fuzzy Hash: 5F419CB9904248AFDB14EBA4D802BAEB7ECDB15300F144574F805D7682EB35EA54C791

                                  Execution Graph

                                  Execution Coverage:2.7%
                                  Dynamic/Decrypted Code Coverage:4.8%
                                  Signature Coverage:0%
                                  Total number of Nodes:756
                                  Total number of Limit Nodes:79
                                  execution_graph 19449 13a210 19482 20f290 19449->19482 19451 13a248 19487 132ae0 19451->19487 19453 13a28b 19503 215362 19453->19503 19456 13a377 19460 13a34e 19460->19456 19532 2147b0 19460->19532 19463 219136 4 API calls 19464 13a2fc 19463->19464 19469 13a318 19464->19469 19518 19cf60 19464->19518 19523 21dbdf 19469->19523 19484 1321d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 19482->19484 19483 20f2af 19483->19451 19483->19483 19484->19483 19535 210651 19484->19535 19488 132af6 19487->19488 19489 132ba5 19487->19489 19491 132b2a 19488->19491 19494 132b02 std::locale::_Locimp::_Locimp 19488->19494 19496 132b65 19488->19496 19497 132b6e 19488->19497 19753 132270 19489->19753 19498 20f290 std::_Facet_Register RtlAllocateHeap 19491->19498 19492 132baa 19763 1321d0 19492->19763 19494->19453 19495 132b3d 19499 2147b0 RtlAllocateHeap 19495->19499 19502 132b46 std::locale::_Locimp::_Locimp 19495->19502 19496->19491 19496->19492 19501 20f290 std::_Facet_Register RtlAllocateHeap 19497->19501 19497->19502 19498->19495 19500 132bb4 19499->19500 19501->19502 19502->19453 19776 2152a0 19503->19776 19505 13a2d7 19505->19460 19506 219136 19505->19506 19507 219149 ___std_exception_copy 19506->19507 19800 218e8d 19507->19800 19509 21915e 19510 2144dc ___std_exception_copy RtlAllocateHeap 19509->19510 19511 13a2ea 19510->19511 19512 214eeb 19511->19512 19513 214efe ___std_exception_copy 19512->19513 19933 214801 19513->19933 19515 214f0a 19516 2144dc ___std_exception_copy RtlAllocateHeap 19515->19516 19517 13a2f0 19516->19517 19517->19463 19519 19cfa7 19518->19519 19522 19cf78 __fread_nolock 19518->19522 19981 1a0560 19519->19981 19521 19cfba 19521->19469 19522->19469 19996 21dbfc 19523->19996 19525 13a348 19526 218be8 19525->19526 19527 218bfb ___std_exception_copy 19526->19527 20120 218ac3 19527->20120 19529 218c07 19530 2144dc ___std_exception_copy RtlAllocateHeap 19529->19530 19531 218c13 19530->19531 19531->19460 19533 2146ec ___std_exception_copy RtlAllocateHeap 19532->19533 19534 2147bf __Getctype 19533->19534 19536 21065e ___std_exception_copy 19535->19536 19540 132213 19535->19540 19537 21068b 19536->19537 19536->19540 19541 2256b8 19536->19541 19550 21d7d6 19537->19550 19540->19451 19542 2256c6 19541->19542 19543 2256d4 19541->19543 19542->19543 19548 2256ec 19542->19548 19553 21d23f 19543->19553 19545 2256dc 19556 2147a0 19545->19556 19547 2256e6 19547->19537 19548->19547 19549 21d23f __dosmaperr RtlAllocateHeap 19548->19549 19549->19545 19551 226db3 __freea RtlAllocateHeap 19550->19551 19552 21d7ee 19551->19552 19552->19540 19559 225d2c 19553->19559 19664 2146ec 19556->19664 19560 225d35 __dosmaperr 19559->19560 19568 21d244 19560->19568 19570 2263f3 19560->19570 19562 225d79 __dosmaperr 19563 225db9 19562->19563 19564 225d81 __dosmaperr 19562->19564 19578 225a09 19563->19578 19574 226db3 19564->19574 19568->19545 19569 226db3 __freea RtlAllocateHeap 19569->19568 19573 226400 __dosmaperr std::_Facet_Register 19570->19573 19571 22642b RtlAllocateHeap 19572 22643e __dosmaperr 19571->19572 19571->19573 19572->19562 19573->19571 19573->19572 19575 226dbe __dosmaperr 19574->19575 19577 226de8 19574->19577 19576 21d23f __dosmaperr RtlAllocateHeap 19575->19576 19575->19577 19576->19577 19577->19568 19579 225a77 __dosmaperr 19578->19579 19582 2259af 19579->19582 19581 225aa0 19581->19569 19583 2259bb __fread_nolock std::_Lockit::_Lockit 19582->19583 19586 225b90 19583->19586 19585 2259dd __dosmaperr 19585->19581 19587 225b9f __Getctype 19586->19587 19589 225bc6 __Getctype 19586->19589 19587->19589 19590 22f2a7 19587->19590 19589->19585 19591 22f327 19590->19591 19594 22f2bd 19590->19594 19592 22f375 19591->19592 19595 226db3 __freea RtlAllocateHeap 19591->19595 19658 22f418 19592->19658 19594->19591 19596 22f2f0 19594->19596 19600 226db3 __freea RtlAllocateHeap 19594->19600 19597 22f349 19595->19597 19598 22f312 19596->19598 19606 226db3 __freea RtlAllocateHeap 19596->19606 19599 226db3 __freea RtlAllocateHeap 19597->19599 19602 226db3 __freea RtlAllocateHeap 19598->19602 19601 22f35c 19599->19601 19605 22f2e5 19600->19605 19607 226db3 __freea RtlAllocateHeap 19601->19607 19603 22f31c 19602->19603 19608 226db3 __freea RtlAllocateHeap 19603->19608 19604 22f3e3 19609 226db3 __freea RtlAllocateHeap 19604->19609 19618 22e5ab 19605->19618 19611 22f307 19606->19611 19612 22f36a 19607->19612 19608->19591 19613 22f3e9 19609->19613 19646 22ea0a 19611->19646 19616 226db3 __freea RtlAllocateHeap 19612->19616 19613->19589 19614 22f383 19614->19604 19617 226db3 RtlAllocateHeap __freea 19614->19617 19616->19592 19617->19614 19619 22e5bc 19618->19619 19645 22e6a5 19618->19645 19620 22e5cd 19619->19620 19621 226db3 __freea RtlAllocateHeap 19619->19621 19622 22e5df 19620->19622 19623 226db3 __freea RtlAllocateHeap 19620->19623 19621->19620 19624 22e5f1 19622->19624 19625 226db3 __freea RtlAllocateHeap 19622->19625 19623->19622 19626 22e603 19624->19626 19627 226db3 __freea RtlAllocateHeap 19624->19627 19625->19624 19628 226db3 __freea RtlAllocateHeap 19626->19628 19629 22e615 19626->19629 19627->19626 19628->19629 19630 226db3 __freea RtlAllocateHeap 19629->19630 19631 22e627 19629->19631 19630->19631 19632 22e639 19631->19632 19633 226db3 __freea RtlAllocateHeap 19631->19633 19634 22e64b 19632->19634 19635 226db3 __freea RtlAllocateHeap 19632->19635 19633->19632 19636 22e65d 19634->19636 19637 226db3 __freea RtlAllocateHeap 19634->19637 19635->19634 19638 22e66f 19636->19638 19639 226db3 __freea RtlAllocateHeap 19636->19639 19637->19636 19640 22e681 19638->19640 19641 226db3 __freea RtlAllocateHeap 19638->19641 19639->19638 19642 22e693 19640->19642 19643 226db3 __freea RtlAllocateHeap 19640->19643 19641->19640 19644 226db3 __freea RtlAllocateHeap 19642->19644 19642->19645 19643->19642 19644->19645 19645->19596 19647 22ea6f 19646->19647 19648 22ea17 19646->19648 19647->19598 19649 22ea27 19648->19649 19650 226db3 __freea RtlAllocateHeap 19648->19650 19651 22ea39 19649->19651 19652 226db3 __freea RtlAllocateHeap 19649->19652 19650->19649 19653 22ea4b 19651->19653 19654 226db3 __freea RtlAllocateHeap 19651->19654 19652->19651 19655 22ea5d 19653->19655 19656 226db3 __freea RtlAllocateHeap 19653->19656 19654->19653 19655->19647 19657 226db3 __freea RtlAllocateHeap 19655->19657 19656->19655 19657->19647 19659 22f425 19658->19659 19663 22f444 19658->19663 19660 22ef31 __Getctype RtlAllocateHeap 19659->19660 19659->19663 19661 22f43e 19660->19661 19662 226db3 __freea RtlAllocateHeap 19661->19662 19662->19663 19663->19614 19665 2146fe ___std_exception_copy 19664->19665 19670 214723 19665->19670 19667 214716 19677 2144dc 19667->19677 19671 214733 19670->19671 19674 21473a ___std_exception_copy __Getctype 19670->19674 19683 214541 19671->19683 19673 214748 19673->19667 19674->19673 19675 2146ec ___std_exception_copy RtlAllocateHeap 19674->19675 19676 2147ac 19675->19676 19676->19667 19678 2144e8 19677->19678 19679 2144ff 19678->19679 19698 214587 19678->19698 19681 214512 19679->19681 19682 214587 ___std_exception_copy RtlAllocateHeap 19679->19682 19681->19547 19682->19681 19684 214550 19683->19684 19687 225ddd 19684->19687 19688 225df0 __dosmaperr 19687->19688 19689 2263f3 __dosmaperr RtlAllocateHeap 19688->19689 19697 214572 19688->19697 19690 225e20 __dosmaperr 19689->19690 19691 225e5c 19690->19691 19692 225e28 __dosmaperr 19690->19692 19694 225a09 __dosmaperr RtlAllocateHeap 19691->19694 19693 226db3 __freea RtlAllocateHeap 19692->19693 19693->19697 19695 225e67 19694->19695 19696 226db3 __freea RtlAllocateHeap 19695->19696 19696->19697 19697->19674 19699 214591 19698->19699 19700 21459a 19698->19700 19701 214541 ___std_exception_copy RtlAllocateHeap 19699->19701 19700->19679 19702 214596 19701->19702 19702->19700 19705 220259 19702->19705 19706 22025e std::locale::_Setgloballocale 19705->19706 19710 220269 std::locale::_Setgloballocale 19706->19710 19711 22c7c6 19706->19711 19732 21f224 19710->19732 19715 22c7d2 __fread_nolock 19711->19715 19712 225d2c __dosmaperr RtlAllocateHeap 19717 22c803 std::locale::_Setgloballocale 19712->19717 19713 22c822 19714 21d23f __dosmaperr RtlAllocateHeap 19713->19714 19716 22c827 19714->19716 19715->19712 19715->19713 19715->19717 19719 22c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 19715->19719 19718 2147a0 ___std_exception_copy RtlAllocateHeap 19716->19718 19717->19713 19717->19719 19731 22c80c 19717->19731 19718->19731 19720 22c8a7 19719->19720 19721 22c9a4 std::_Lockit::~_Lockit 19719->19721 19723 22c8d5 std::locale::_Setgloballocale 19719->19723 19720->19723 19735 225bdb 19720->19735 19722 21f224 std::locale::_Setgloballocale RtlAllocateHeap 19721->19722 19724 22c9b7 19722->19724 19726 225bdb __Getctype RtlAllocateHeap 19723->19726 19729 22c92a 19723->19729 19723->19731 19726->19729 19728 225bdb __Getctype RtlAllocateHeap 19728->19723 19730 225bdb __Getctype RtlAllocateHeap 19729->19730 19729->19731 19730->19731 19731->19710 19749 21f094 19732->19749 19734 21f235 19736 225be4 __dosmaperr 19735->19736 19737 2263f3 __dosmaperr RtlAllocateHeap 19736->19737 19738 225bfb 19736->19738 19740 225c28 __dosmaperr 19737->19740 19739 225c8b 19738->19739 19741 220259 __Getctype RtlAllocateHeap 19738->19741 19739->19728 19742 225c68 19740->19742 19744 225c30 __dosmaperr 19740->19744 19743 225c95 19741->19743 19746 225a09 __dosmaperr RtlAllocateHeap 19742->19746 19745 226db3 __freea RtlAllocateHeap 19744->19745 19745->19738 19747 225c73 19746->19747 19748 226db3 __freea RtlAllocateHeap 19747->19748 19748->19738 19751 21f0c1 std::locale::_Setgloballocale 19749->19751 19750 21ef23 std::locale::_Setgloballocale RtlAllocateHeap 19752 21f10a std::locale::_Setgloballocale 19750->19752 19751->19750 19752->19734 19767 20d6e9 19753->19767 19764 1321de Concurrency::cancel_current_task 19763->19764 19765 210651 ___std_exception_copy RtlAllocateHeap 19764->19765 19766 132213 19765->19766 19766->19495 19770 20d4af 19767->19770 19769 20d6fa Concurrency::cancel_current_task 19773 133010 19770->19773 19774 210651 ___std_exception_copy RtlAllocateHeap 19773->19774 19775 13303d 19774->19775 19775->19769 19779 2152ac __fread_nolock 19776->19779 19777 2152b3 19778 21d23f __dosmaperr RtlAllocateHeap 19777->19778 19780 2152b8 19778->19780 19779->19777 19781 2152d3 19779->19781 19782 2147a0 ___std_exception_copy RtlAllocateHeap 19780->19782 19783 2152e5 19781->19783 19784 2152d8 19781->19784 19789 2152c3 19782->19789 19790 226688 19783->19790 19785 21d23f __dosmaperr RtlAllocateHeap 19784->19785 19785->19789 19787 2152ee 19788 21d23f __dosmaperr RtlAllocateHeap 19787->19788 19787->19789 19788->19789 19789->19505 19791 226694 __fread_nolock std::_Lockit::_Lockit 19790->19791 19794 22672c 19791->19794 19793 2266af 19793->19787 19795 22674f __fread_nolock 19794->19795 19796 2263f3 __dosmaperr RtlAllocateHeap 19795->19796 19799 226795 __fread_nolock 19795->19799 19797 2267b0 19796->19797 19798 226db3 __freea RtlAllocateHeap 19797->19798 19798->19799 19799->19793 19801 218e99 __fread_nolock 19800->19801 19802 218e9f 19801->19802 19804 218ee2 __fread_nolock 19801->19804 19803 214723 ___std_exception_copy RtlAllocateHeap 19802->19803 19806 218eba 19803->19806 19807 219010 19804->19807 19806->19509 19808 219023 19807->19808 19809 219036 19807->19809 19808->19806 19816 218f37 19809->19816 19811 2190e7 19811->19806 19812 219059 19812->19811 19820 2155d3 19812->19820 19817 218f48 19816->19817 19819 218fa0 19816->19819 19817->19819 19829 21e13d 19817->19829 19819->19812 19821 2155ec 19820->19821 19825 215613 19820->19825 19821->19825 19856 225f82 19821->19856 19823 215608 19863 22538b 19823->19863 19826 21e17d 19825->19826 19827 21e05c __fread_nolock 2 API calls 19826->19827 19828 21e196 19827->19828 19828->19811 19830 21e151 ___std_exception_copy 19829->19830 19835 21e05c 19830->19835 19832 21e166 19833 2144dc ___std_exception_copy RtlAllocateHeap 19832->19833 19834 21e175 19833->19834 19834->19819 19840 22a6de 19835->19840 19837 21e06e 19838 21e08a SetFilePointerEx 19837->19838 19839 21e076 __fread_nolock 19837->19839 19838->19839 19839->19832 19841 22a6eb 19840->19841 19843 22a700 19840->19843 19853 21d22c 19841->19853 19845 21d22c __dosmaperr RtlAllocateHeap 19843->19845 19847 22a725 19843->19847 19848 22a730 19845->19848 19846 21d23f __dosmaperr RtlAllocateHeap 19849 22a6f8 19846->19849 19847->19837 19850 21d23f __dosmaperr RtlAllocateHeap 19848->19850 19849->19837 19851 22a738 19850->19851 19852 2147a0 ___std_exception_copy RtlAllocateHeap 19851->19852 19852->19849 19854 225d2c __dosmaperr RtlAllocateHeap 19853->19854 19855 21d231 19854->19855 19855->19846 19857 225fa3 19856->19857 19858 225f8e 19856->19858 19857->19823 19859 21d23f __dosmaperr RtlAllocateHeap 19858->19859 19860 225f93 19859->19860 19861 2147a0 ___std_exception_copy RtlAllocateHeap 19860->19861 19862 225f9e 19861->19862 19862->19823 19864 225397 __fread_nolock 19863->19864 19865 2253d8 19864->19865 19867 22541e 19864->19867 19869 22539f 19864->19869 19866 214723 ___std_exception_copy RtlAllocateHeap 19865->19866 19866->19869 19867->19869 19870 22549c 19867->19870 19869->19825 19871 2254c4 19870->19871 19883 2254e7 __fread_nolock 19870->19883 19872 2254c8 19871->19872 19874 225523 19871->19874 19873 214723 ___std_exception_copy RtlAllocateHeap 19872->19873 19873->19883 19875 225541 19874->19875 19876 21e17d 2 API calls 19874->19876 19884 224fe1 19875->19884 19876->19875 19879 2255a0 19881 225609 WriteFile 19879->19881 19879->19883 19880 225559 19880->19883 19889 224bb2 19880->19889 19881->19883 19883->19869 19895 230d44 19884->19895 19886 224ff3 19887 225021 19886->19887 19904 219d10 19886->19904 19887->19879 19887->19880 19890 224c1a 19889->19890 19891 219d10 std::_Locinfo::_Locinfo_dtor 2 API calls 19890->19891 19894 224c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 19890->19894 19891->19894 19892 2284be RtlAllocateHeap RtlAllocateHeap 19892->19894 19893 224ee1 _ValidateLocalCookies 19893->19883 19893->19893 19894->19892 19894->19893 19896 230d51 19895->19896 19897 230d5e 19895->19897 19898 21d23f __dosmaperr RtlAllocateHeap 19896->19898 19899 230d6a 19897->19899 19900 21d23f __dosmaperr RtlAllocateHeap 19897->19900 19901 230d56 19898->19901 19899->19886 19902 230d8b 19900->19902 19901->19886 19903 2147a0 ___std_exception_copy RtlAllocateHeap 19902->19903 19903->19901 19905 214587 ___std_exception_copy RtlAllocateHeap 19904->19905 19906 219d20 19905->19906 19911 225ef3 19906->19911 19912 219d3d 19911->19912 19913 225f0a 19911->19913 19915 225f51 19912->19915 19913->19912 19919 22f4f3 19913->19919 19916 225f68 19915->19916 19917 219d4a 19915->19917 19916->19917 19928 22d81e 19916->19928 19917->19887 19920 22f4ff __fread_nolock 19919->19920 19921 225bdb __Getctype RtlAllocateHeap 19920->19921 19922 22f508 std::_Lockit::_Lockit 19921->19922 19923 22f574 __Getctype RtlAllocateHeap 19922->19923 19925 22f54e 19922->19925 19924 22f537 __Getctype 19923->19924 19924->19925 19926 220259 __Getctype RtlAllocateHeap 19924->19926 19925->19912 19927 22f573 19926->19927 19929 225bdb __Getctype RtlAllocateHeap 19928->19929 19930 22d823 19929->19930 19931 22d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 19930->19931 19932 22d82e 19931->19932 19932->19917 19934 21480d __fread_nolock 19933->19934 19935 214835 __fread_nolock 19934->19935 19936 214814 19934->19936 19940 214910 19935->19940 19937 214723 ___std_exception_copy RtlAllocateHeap 19936->19937 19939 21482d 19937->19939 19939->19515 19943 214942 19940->19943 19942 214922 19942->19939 19944 214951 19943->19944 19945 214979 19943->19945 19946 214723 ___std_exception_copy RtlAllocateHeap 19944->19946 19947 225f82 __fread_nolock RtlAllocateHeap 19945->19947 19954 21496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19946->19954 19948 214982 19947->19948 19956 21e11f 19948->19956 19951 214a2c 19959 214cae 19951->19959 19953 214a43 19953->19954 19967 214ae3 19953->19967 19954->19942 19974 21df37 19956->19974 19958 2149a0 19958->19951 19958->19953 19958->19954 19960 214cbd 19959->19960 19961 225f82 __fread_nolock RtlAllocateHeap 19960->19961 19962 214cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19961->19962 19963 21e11f 2 API calls 19962->19963 19966 214ce5 _ValidateLocalCookies 19962->19966 19964 214d39 19963->19964 19965 21e11f 2 API calls 19964->19965 19964->19966 19965->19966 19966->19954 19968 225f82 __fread_nolock RtlAllocateHeap 19967->19968 19969 214af6 19968->19969 19970 21e11f 2 API calls 19969->19970 19973 214b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19969->19973 19971 214b9d 19970->19971 19972 21e11f 2 API calls 19971->19972 19971->19973 19972->19973 19973->19954 19975 21df43 __fread_nolock 19974->19975 19976 21df86 19975->19976 19978 21df4b 19975->19978 19979 21dfcc 19975->19979 19977 214723 ___std_exception_copy RtlAllocateHeap 19976->19977 19977->19978 19978->19958 19979->19978 19980 21e05c __fread_nolock 2 API calls 19979->19980 19980->19978 19982 1a06a9 19981->19982 19986 1a0585 19981->19986 19983 132270 RtlAllocateHeap 19982->19983 19984 1a06ae 19983->19984 19985 1321d0 Concurrency::cancel_current_task RtlAllocateHeap 19984->19985 19994 1a05aa __fread_nolock std::locale::_Locimp::_Locimp 19985->19994 19988 1a05e3 19986->19988 19989 1a05f0 19986->19989 19991 1a059a 19986->19991 19987 20f290 std::_Facet_Register RtlAllocateHeap 19987->19994 19988->19984 19988->19991 19993 20f290 std::_Facet_Register RtlAllocateHeap 19989->19993 19989->19994 19990 2147b0 RtlAllocateHeap 19992 1a06b8 19990->19992 19991->19987 19993->19994 19994->19990 19995 1a0667 __fread_nolock std::locale::_Locimp::_Locimp 19994->19995 19995->19521 19998 21dc08 __fread_nolock 19996->19998 19997 21dc40 __fread_nolock 19997->19525 19998->19997 19999 21dc52 __fread_nolock 19998->19999 20000 21dc1b __fread_nolock 19998->20000 20005 21da06 19999->20005 20001 21d23f __dosmaperr RtlAllocateHeap 20000->20001 20003 21dc35 20001->20003 20004 2147a0 ___std_exception_copy RtlAllocateHeap 20003->20004 20004->19997 20007 21da18 __fread_nolock 20005->20007 20010 21da35 20005->20010 20006 21da25 20008 21d23f __dosmaperr RtlAllocateHeap 20006->20008 20007->20006 20007->20010 20015 21da76 __fread_nolock 20007->20015 20016 21da2a 20008->20016 20009 2147a0 ___std_exception_copy RtlAllocateHeap 20009->20010 20010->19997 20011 21dba1 __fread_nolock 20014 21d23f __dosmaperr RtlAllocateHeap 20011->20014 20013 225f82 __fread_nolock RtlAllocateHeap 20013->20015 20014->20016 20015->20010 20015->20011 20015->20013 20018 224623 20015->20018 20077 218a2b 20015->20077 20016->20009 20019 224635 20018->20019 20020 22464d 20018->20020 20021 21d22c __dosmaperr RtlAllocateHeap 20019->20021 20022 22498f 20020->20022 20026 224690 20020->20026 20023 22463a 20021->20023 20024 21d22c __dosmaperr RtlAllocateHeap 20022->20024 20025 21d23f __dosmaperr RtlAllocateHeap 20023->20025 20027 224994 20024->20027 20032 224642 20025->20032 20028 22469b 20026->20028 20026->20032 20035 2246cb 20026->20035 20029 21d23f __dosmaperr RtlAllocateHeap 20027->20029 20030 21d22c __dosmaperr RtlAllocateHeap 20028->20030 20031 2246a8 20029->20031 20033 2246a0 20030->20033 20034 2147a0 ___std_exception_copy RtlAllocateHeap 20031->20034 20032->20015 20036 21d23f __dosmaperr RtlAllocateHeap 20033->20036 20034->20032 20037 2246e4 20035->20037 20038 2246f1 20035->20038 20039 22471f 20035->20039 20036->20031 20037->20038 20043 22470d 20037->20043 20040 21d22c __dosmaperr RtlAllocateHeap 20038->20040 20091 226e2d 20039->20091 20042 2246f6 20040->20042 20045 21d23f __dosmaperr RtlAllocateHeap 20042->20045 20046 230d44 __fread_nolock RtlAllocateHeap 20043->20046 20048 2246fd 20045->20048 20062 22486b 20046->20062 20047 226db3 __freea RtlAllocateHeap 20049 224739 20047->20049 20050 2147a0 ___std_exception_copy RtlAllocateHeap 20048->20050 20051 226db3 __freea RtlAllocateHeap 20049->20051 20076 224708 __fread_nolock 20050->20076 20055 224740 20051->20055 20052 2248e3 ReadFile 20053 224957 20052->20053 20054 2248fb 20052->20054 20064 224964 20053->20064 20073 2248b5 20053->20073 20054->20053 20056 2248d4 20054->20056 20057 224765 20055->20057 20058 22474a 20055->20058 20067 224920 20056->20067 20068 224937 20056->20068 20056->20076 20061 21e13d __fread_nolock 2 API calls 20057->20061 20059 21d23f __dosmaperr RtlAllocateHeap 20058->20059 20065 22474f 20059->20065 20060 226db3 __freea RtlAllocateHeap 20060->20032 20061->20043 20062->20052 20063 22489b 20062->20063 20063->20056 20063->20073 20066 21d23f __dosmaperr RtlAllocateHeap 20064->20066 20069 21d22c __dosmaperr RtlAllocateHeap 20065->20069 20070 224969 20066->20070 20102 224335 20067->20102 20068->20076 20112 22417b 20068->20112 20069->20076 20074 21d22c __dosmaperr RtlAllocateHeap 20070->20074 20073->20076 20097 21d1e5 20073->20097 20074->20076 20076->20060 20078 218a3c 20077->20078 20087 218a38 std::locale::_Locimp::_Locimp 20077->20087 20079 218a43 20078->20079 20081 218a56 __fread_nolock 20078->20081 20080 21d23f __dosmaperr RtlAllocateHeap 20079->20080 20082 218a48 20080->20082 20084 218a84 20081->20084 20085 218a8d 20081->20085 20081->20087 20083 2147a0 ___std_exception_copy RtlAllocateHeap 20082->20083 20083->20087 20086 21d23f __dosmaperr RtlAllocateHeap 20084->20086 20085->20087 20089 21d23f __dosmaperr RtlAllocateHeap 20085->20089 20088 218a89 20086->20088 20087->20015 20090 2147a0 ___std_exception_copy RtlAllocateHeap 20088->20090 20089->20088 20090->20087 20092 226e6b 20091->20092 20093 226e3b __dosmaperr std::_Facet_Register 20091->20093 20095 21d23f __dosmaperr RtlAllocateHeap 20092->20095 20093->20092 20094 226e56 RtlAllocateHeap 20093->20094 20094->20093 20096 224730 20094->20096 20095->20096 20096->20047 20098 21d22c __dosmaperr RtlAllocateHeap 20097->20098 20099 21d1f0 __dosmaperr 20098->20099 20100 21d23f __dosmaperr RtlAllocateHeap 20099->20100 20101 21d203 20100->20101 20101->20076 20116 22402e 20102->20116 20105 2243d7 20109 224391 __fread_nolock 20105->20109 20110 21e13d __fread_nolock 2 API calls 20105->20110 20106 2243c7 20107 21d23f __dosmaperr RtlAllocateHeap 20106->20107 20108 22437d 20107->20108 20108->20076 20109->20108 20111 21d1e5 __dosmaperr RtlAllocateHeap 20109->20111 20110->20109 20111->20108 20113 2241b5 20112->20113 20114 224246 20113->20114 20115 21e13d __fread_nolock 2 API calls 20113->20115 20114->20076 20115->20114 20117 224062 20116->20117 20118 2240ce 20117->20118 20119 21e13d __fread_nolock 2 API calls 20117->20119 20118->20105 20118->20106 20118->20108 20118->20109 20119->20118 20121 218acf __fread_nolock 20120->20121 20122 218ad9 20121->20122 20125 218afc __fread_nolock 20121->20125 20123 214723 ___std_exception_copy RtlAllocateHeap 20122->20123 20124 218af4 20123->20124 20124->19529 20125->20124 20127 218b5a 20125->20127 20128 218b67 20127->20128 20129 218b8a 20127->20129 20130 214723 ___std_exception_copy RtlAllocateHeap 20128->20130 20131 2155d3 4 API calls 20129->20131 20140 218b82 20129->20140 20130->20140 20132 218ba2 20131->20132 20141 226ded 20132->20141 20135 225f82 __fread_nolock RtlAllocateHeap 20136 218bb6 20135->20136 20145 224a3f 20136->20145 20139 226db3 __freea RtlAllocateHeap 20139->20140 20140->20124 20142 226e04 20141->20142 20143 218baa 20141->20143 20142->20143 20144 226db3 __freea RtlAllocateHeap 20142->20144 20143->20135 20144->20143 20146 224a68 20145->20146 20151 218bbd 20145->20151 20147 224ab7 20146->20147 20149 224a8f 20146->20149 20148 214723 ___std_exception_copy RtlAllocateHeap 20147->20148 20148->20151 20152 2249ae 20149->20152 20151->20139 20151->20140 20153 2249ba __fread_nolock 20152->20153 20155 2249f9 20153->20155 20156 224b12 20153->20156 20155->20151 20157 22a6de __fread_nolock RtlAllocateHeap 20156->20157 20158 224b22 20157->20158 20160 22a6de __fread_nolock RtlAllocateHeap 20158->20160 20166 224b28 20158->20166 20167 224b5a 20158->20167 20162 224b51 20160->20162 20161 22a6de __fread_nolock RtlAllocateHeap 20163 224b66 FindCloseChangeNotification 20161->20163 20165 22a6de __fread_nolock RtlAllocateHeap 20162->20165 20163->20166 20164 224b80 __fread_nolock 20164->20155 20165->20167 20168 22a64d 20166->20168 20167->20161 20167->20166 20171 22a65c 20168->20171 20169 21d23f __dosmaperr RtlAllocateHeap 20170 22a6c8 20169->20170 20172 21d22c __dosmaperr RtlAllocateHeap 20170->20172 20171->20169 20173 22a686 20171->20173 20172->20173 20173->20164 21193 508098f 21194 5080985 21193->21194 21195 508099c GetCurrentHwProfileW 21193->21195 21197 5080a9b 21195->21197 22340 5080880 22341 508088e GetCurrentHwProfileW 22340->22341 22343 5080a9b 22341->22343 20205 225d2c 20206 225d35 __dosmaperr 20205->20206 20207 2263f3 __dosmaperr RtlAllocateHeap 20206->20207 20214 225d4c 20206->20214 20208 225d79 __dosmaperr 20207->20208 20209 225db9 20208->20209 20210 225d81 __dosmaperr 20208->20210 20212 225a09 __dosmaperr RtlAllocateHeap 20209->20212 20211 226db3 __freea RtlAllocateHeap 20210->20211 20211->20214 20213 225dc4 20212->20213 20215 226db3 __freea RtlAllocateHeap 20213->20215 20215->20214 21204 5080986 21206 5080993 21204->21206 21205 5080985 21206->21205 21207 5080a86 GetCurrentHwProfileW 21206->21207 21208 5080a9b 21207->21208 20220 14ea00 20226 14ea62 20220->20226 20221 14f193 20222 2147b0 RtlAllocateHeap 20223 14f1b3 20222->20223 20235 20e4bb 20223->20235 20226->20221 20226->20222 20236 20e4c6 20235->20236 20237 220259 std::locale::_Setgloballocale 20236->20237 20239 20e4d9 20236->20239 20240 22c7c6 std::locale::_Setgloballocale RtlAllocateHeap 20237->20240 20243 220269 std::locale::_Setgloballocale 20237->20243 20244 20e4e8 20239->20244 20240->20243 20241 21f224 std::locale::_Setgloballocale RtlAllocateHeap 20242 22029c 20241->20242 20243->20241 20245 20e4fe 20244->20245 20252 20e46e 20245->20252 20247 20e583 20247->20239 20248 20e50e Concurrency::cancel_current_task 20248->20247 20249 219136 4 API calls 20248->20249 20250 20e57d 20248->20250 20249->20250 20250->20247 20251 218be8 5 API calls 20250->20251 20251->20247 20253 20e47a __EH_prolog3_GS 20252->20253 20260 132980 20253->20260 20257 20e4a3 20281 1328d0 20257->20281 20259 20e4ab 20259->20248 20261 1329a2 20260->20261 20261->20261 20262 132ae0 RtlAllocateHeap 20261->20262 20263 1329b4 20262->20263 20264 133190 20263->20264 20286 19a770 20264->20286 20266 1331be 20267 1331e1 20266->20267 20303 1a06c0 20266->20303 20318 19a4f0 20267->20318 20270 133236 20271 133260 20270->20271 20272 13332b 20270->20272 20273 210651 ___std_exception_copy RtlAllocateHeap 20271->20273 20274 2147b0 RtlAllocateHeap 20272->20274 20276 1332cb 20273->20276 20274->20276 20275 2147b0 RtlAllocateHeap 20278 133335 20275->20278 20276->20275 20277 1332fa 20276->20277 20277->20257 20323 2106b4 20278->20323 20280 133355 20280->20257 20282 1328db 20281->20282 20283 1328f6 20281->20283 20282->20283 20284 2147b0 RtlAllocateHeap 20282->20284 20283->20259 20285 13291a 20284->20285 20285->20259 20287 19a799 20286->20287 20288 19a851 20287->20288 20290 19a7aa 20287->20290 20289 132270 RtlAllocateHeap 20288->20289 20291 19a856 20289->20291 20292 19a7b6 std::locale::_Locimp::_Locimp 20290->20292 20293 19a7db 20290->20293 20297 19a81d 20290->20297 20298 19a814 20290->20298 20294 1321d0 Concurrency::cancel_current_task RtlAllocateHeap 20291->20294 20292->20266 20295 20f290 std::_Facet_Register RtlAllocateHeap 20293->20295 20296 19a7ee 20294->20296 20295->20296 20299 2147b0 RtlAllocateHeap 20296->20299 20302 19a7f5 std::locale::_Locimp::_Locimp 20296->20302 20300 20f290 std::_Facet_Register RtlAllocateHeap 20297->20300 20297->20302 20298->20291 20298->20293 20301 19a860 20299->20301 20300->20302 20301->20266 20302->20266 20304 1a0802 20303->20304 20308 1a06e5 20303->20308 20305 132270 RtlAllocateHeap 20304->20305 20306 1a0807 20305->20306 20307 1321d0 Concurrency::cancel_current_task RtlAllocateHeap 20306->20307 20312 1a070a std::locale::_Locimp::_Locimp 20307->20312 20310 1a0743 20308->20310 20311 1a0750 20308->20311 20314 1a06fa 20308->20314 20309 20f290 std::_Facet_Register RtlAllocateHeap 20309->20312 20310->20306 20310->20314 20311->20312 20315 20f290 std::_Facet_Register RtlAllocateHeap 20311->20315 20313 2147b0 RtlAllocateHeap 20312->20313 20317 1a07c0 std::locale::_Locimp::_Locimp 20312->20317 20316 1a0811 20313->20316 20314->20309 20315->20312 20316->20267 20317->20267 20319 19a504 20318->20319 20320 1a06c0 RtlAllocateHeap 20319->20320 20322 19a514 std::locale::_Locimp::_Locimp 20319->20322 20321 19a55a 20320->20321 20321->20270 20322->20270 20324 2106c1 20323->20324 20325 2106c8 20323->20325 20326 21d7d6 __freea RtlAllocateHeap 20324->20326 20325->20280 20326->20325 20331 5080724 20332 5080737 20331->20332 20339 5080779 20332->20339 20340 508078e 20339->20340 20343 50807fa 20340->20343 20345 50807fa 20340->20345 20344 5080843 20343->20344 20349 5080845 20343->20349 20346 5080822 20345->20346 20347 5080845 2 API calls 20346->20347 20348 5080843 20346->20348 20347->20346 20350 5080857 20349->20350 20355 5080862 20350->20355 20352 508085e GetCurrentHwProfileW 20354 5080a9b 20352->20354 20356 508088e GetCurrentHwProfileW 20355->20356 20358 5080a9b 20356->20358 20174 14e0a0 WSAStartup 20175 14e0d8 20174->20175 20178 14e1a7 20174->20178 20176 14e175 socket 20175->20176 20175->20178 20177 14e18b connect 20176->20177 20176->20178 20177->20178 20179 14e19d closesocket 20177->20179 20179->20176 20179->20178 20183 193a40 20186 193a55 20183->20186 20184 193b28 GetPEB 20184->20186 20185 193a73 GetPEB 20185->20186 20186->20184 20186->20185 20187 193b9d Sleep 20186->20187 20188 193ae8 Sleep 20186->20188 20189 193bc7 20186->20189 20187->20186 20188->20186 20190 1a06c0 20191 1a0802 20190->20191 20195 1a06e5 20190->20195 20192 132270 RtlAllocateHeap 20191->20192 20193 1a0807 20192->20193 20194 1321d0 Concurrency::cancel_current_task RtlAllocateHeap 20193->20194 20199 1a070a std::locale::_Locimp::_Locimp 20194->20199 20197 1a0743 20195->20197 20198 1a0750 20195->20198 20201 1a06fa 20195->20201 20196 20f290 std::_Facet_Register RtlAllocateHeap 20196->20199 20197->20193 20197->20201 20198->20199 20202 20f290 std::_Facet_Register RtlAllocateHeap 20198->20202 20200 2147b0 RtlAllocateHeap 20199->20200 20204 1a07c0 std::locale::_Locimp::_Locimp 20199->20204 20203 1a0811 20200->20203 20201->20196 20202->20199 22308 5080855 22309 5080862 GetCurrentHwProfileW 22308->22309 22310 508085e GetCurrentHwProfileW 22308->22310 22309->22310 22312 5080a9b 22310->22312 20180 5080a7d 20181 5080a86 GetCurrentHwProfileW 20180->20181 20182 5080a9b 20181->20182 20182->20182

                                  Executed Functions

                                  Function 00193A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 177 193a40-193a52 178 193a55-193a61 177->178 180 193b28-193b31 GetPEB 178->180 181 193a67-193a6d 178->181 182 193b34-193b48 180->182 181->180 183 193a73-193a7f GetPEB 181->183 184 193b99-193b9b 182->184 185 193b4a-193b4f 182->185 186 193a80-193a94 183->186 184->182 185->184 187 193b51-193b59 185->187 188 193ae4-193ae6 186->188 189 193a96-193a9b 186->189 190 193b60-193b73 187->190 188->186 189->188 191 193a9d-193aa3 189->191 192 193b92-193b97 190->192 193 193b75-193b88 190->193 194 193aa5-193ab8 191->194 192->184 192->190 193->193 195 193b8a-193b90 193->195 196 193aba 194->196 197 193add-193ae2 194->197 195->192 199 193b9d-193bc2 Sleep 195->199 198 193ac0-193ad3 196->198 197->188 197->194 198->198 200 193ad5-193adb 198->200 199->178 200->197 201 193ae8-193b0d Sleep 200->201 202 193b13-193b1a 201->202 202->180 203 193b1c-193b22 202->203 203->180 204 193bc7-193bd8 call 136bd0 203->204 207 193bda-193bdc 204->207 208 193bde 204->208 209 193be0-193bfd call 136bd0 207->209 208->209
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00193DB6), ref: 00193B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00193DB6), ref: 00193BBA
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 1ee8e0f17a8c5cac38af342f6c1e6a78066e47474a1114e984294fe282be5cba
                                  • Instruction ID: ee48a5b8860cb459710b52d3722918763617b59e759811ef2877f0737835d176
                                  • Opcode Fuzzy Hash: 1ee8e0f17a8c5cac38af342f6c1e6a78066e47474a1114e984294fe282be5cba
                                  • Instruction Fuzzy Hash: D651A935A042199FCF28CF58C8D0EAAB3B1EF45704F29859AD466AB351D731EE05CB90
                                  Function 0014E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 14e0a0-14e0d2 WSAStartup 1 14e1b7-14e1c0 0->1 2 14e0d8-14e102 call 136bd0 * 2 0->2 7 14e104-14e108 2->7 8 14e10e-14e165 2->8 7->1 7->8 10 14e167-14e16d 8->10 11 14e1b1 8->11 12 14e1c5-14e1cf 10->12 13 14e16f 10->13 11->1 12->11 17 14e1d1-14e1d9 12->17 14 14e175-14e189 socket 13->14 14->11 15 14e18b-14e19b connect 14->15 18 14e1c1 15->18 19 14e19d-14e1a5 closesocket 15->19 18->12 19->14 20 14e1a7-14e1b0 19->20 20->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 536c6b0c956c741ac8e5c90f1a490874564bbb68eada41272a3967eaaa146fba
                                  • Instruction ID: 415859c9fd368dd0af9f4c58c1aac9bbddc2d8311d927ca6d4f57a47f22a1090
                                  • Opcode Fuzzy Hash: 536c6b0c956c741ac8e5c90f1a490874564bbb68eada41272a3967eaaa146fba
                                  • Instruction Fuzzy Hash: A13190726443016FDB209F259C49B2BB7E4FB85728F115F1DF9A8962E0D37198188B92
                                  Function 00214942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 214942-21494f 23 214951-214974 call 214723 22->23 24 214979-21498d call 225f82 22->24 29 214ae0-214ae2 23->29 30 214992-21499b call 21e11f 24->30 31 21498f 24->31 33 2149a0-2149af 30->33 31->30 34 2149b1 33->34 35 2149bf-2149c8 33->35 38 2149b7-2149b9 34->38 39 214a89-214a8e 34->39 36 2149ca-2149d7 35->36 37 2149dc-214a10 35->37 40 214adc 36->40 41 214a12-214a1c 37->41 42 214a6d-214a79 37->42 38->35 38->39 43 214ade-214adf 39->43 40->43 44 214a43-214a4f 41->44 45 214a1e-214a2a 41->45 46 214a90-214a93 42->46 47 214a7b-214a82 42->47 43->29 44->46 49 214a51-214a6b call 214e59 44->49 45->44 48 214a2c-214a3e call 214cae 45->48 50 214a96-214a9e 46->50 47->39 48->43 49->50 51 214aa0-214aa6 50->51 52 214ada 50->52 55 214aa8-214abc call 214ae3 51->55 56 214abe-214ac2 51->56 52->40 55->43 60 214ad5-214ad7 56->60 61 214ac4-214ad2 call 234a10 56->61 60->52 61->60
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O!
                                  • API String ID: 0-3378388816
                                  • Opcode ID: 83cc3ab2b5d6dca641c8de62f5bd5ee9cf248633cb9d31bc2f04a505a21f77d4
                                  • Instruction ID: bc8382ed1db60b344367f1a6723a808a4882fe06e0946efc245a4d48ecb159e7
                                  • Opcode Fuzzy Hash: 83cc3ab2b5d6dca641c8de62f5bd5ee9cf248633cb9d31bc2f04a505a21f77d4
                                  • Instruction Fuzzy Hash: 80510670A10108AFCF10EF58CC95AEABBF1EF59324F258159F84D9B252D3719EA1CB90
                                  Function 00224623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 65 224623-224633 66 224635-224648 call 21d22c call 21d23f 65->66 67 22464d-22464f 65->67 81 2249a7 66->81 69 224655-22465b 67->69 70 22498f-22499c call 21d22c call 21d23f 67->70 69->70 72 224661-22468a 69->72 89 2249a2 call 2147a0 70->89 72->70 75 224690-224699 72->75 78 2246b3-2246b5 75->78 79 22469b-2246ae call 21d22c call 21d23f 75->79 84 22498b-22498d 78->84 85 2246bb-2246bf 78->85 79->89 87 2249aa-2249ad 81->87 84->87 85->84 86 2246c5-2246c9 85->86 86->79 91 2246cb-2246e2 86->91 89->81 93 224717-22471d 91->93 94 2246e4-2246e7 91->94 98 2246f1-224708 call 21d22c call 21d23f call 2147a0 93->98 99 22471f-224726 93->99 96 2246e9-2246ef 94->96 97 22470d-224715 94->97 96->97 96->98 101 22478a-2247a9 97->101 130 2248c2 98->130 102 22472a-22472b call 226e2d 99->102 103 224728 99->103 106 224865-22486e call 230d44 101->106 107 2247af-2247bb 101->107 109 224730-224748 call 226db3 * 2 102->109 103->102 119 224870-224882 106->119 120 2248df 106->120 107->106 108 2247c1-2247c3 107->108 108->106 112 2247c9-2247ea 108->112 133 224765-224788 call 21e13d 109->133 134 22474a-224760 call 21d23f call 21d22c 109->134 112->106 116 2247ec-224802 112->116 116->106 121 224804-224806 116->121 119->120 124 224884-224893 119->124 125 2248e3-2248f9 ReadFile 120->125 121->106 128 224808-22482b 121->128 124->120 143 224895-224899 124->143 126 224957-224962 125->126 127 2248fb-224901 125->127 145 224964-224976 call 21d23f call 21d22c 126->145 146 22497b-22497e 126->146 127->126 131 224903 127->131 128->106 132 22482d-224843 128->132 135 2248c5-2248cf call 226db3 130->135 138 224906-224918 131->138 132->106 139 224845-224847 132->139 133->101 134->130 135->87 138->135 147 22491a-22491e 138->147 139->106 148 224849-224860 139->148 143->125 144 22489b-2248b3 143->144 165 2248d4-2248dd 144->165 166 2248b5-2248ba 144->166 145->130 155 224984-224986 146->155 156 2248bb-2248c1 call 21d1e5 146->156 153 224920-224930 call 224335 147->153 154 224937-224944 147->154 148->106 173 224933-224935 153->173 162 224950-224955 call 22417b 154->162 163 224946 call 22448c 154->163 155->135 156->130 174 22494b-22494e 162->174 163->174 165->138 166->156 173->135 174->173
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1bfdb33ce1bf3132f9d6a6fc73ba6ff0501edcbddeb889383ddb5320d4cbe2be
                                  • Instruction ID: edb1a1e6e52d049215569228c87aa79f081ea1df820ed988da733170ec3c4268
                                  • Opcode Fuzzy Hash: 1bfdb33ce1bf3132f9d6a6fc73ba6ff0501edcbddeb889383ddb5320d4cbe2be
                                  • Instruction Fuzzy Hash: 78B13770A20266BFDB11EFE8F844BAEBBF5AF55300F144159E550AB282C7B09DA1CF51
                                  Function 05080845 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 212 5080845-5080a62 call 5080862 237 5080a73-5080a8b GetCurrentHwProfileW 212->237 239 5080a9b-5080cb4 237->239 261 5080cc7-5080d34 239->261 269 5080cc1-5080cc5 261->269 270 5080d36 261->270 269->261 270->270
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d40cf87f9ab816976b9e818032394d687942c93078d44cc591480b60922ea19
                                  • Instruction ID: 5c10e4dd4d42fd6f48079ba853486af344372a943ba0d0b7382d8e21a3734bd4
                                  • Opcode Fuzzy Hash: 8d40cf87f9ab816976b9e818032394d687942c93078d44cc591480b60922ea19
                                  • Instruction Fuzzy Hash: 8E5168EB24D125BCB202E6817B3CEFE6B6FE6D27307318466F887D6502E6940E8D5131
                                  Function 05080855 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 271 5080855-5080858 272 508085e-5080a62 271->272 273 5080859 call 5080862 271->273 295 5080a73-5080a8b GetCurrentHwProfileW 272->295 273->272 297 5080a9b-5080cb4 295->297 319 5080cc7-5080d34 297->319 327 5080cc1-5080cc5 319->327 328 5080d36 319->328 327->319 328->328
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c2d3cee89d29cbbf180ba19c8ca2af5eda65d4d7f8eac28a54670591b5ee67c
                                  • Instruction ID: a3784ee3e594f5620582c70bef6bd136c6f5fa48e89ccbf74239477340971b3b
                                  • Opcode Fuzzy Hash: 1c2d3cee89d29cbbf180ba19c8ca2af5eda65d4d7f8eac28a54670591b5ee67c
                                  • Instruction Fuzzy Hash: 135168EB24D125BCB202E6817B3CEFE6B6FE6D27307318466F887D6502E6940E8D5131
                                  Function 05080862 Relevance: 1.8, APIs: 1, Instructions: 323COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 329 5080862-5080a62 351 5080a73-5080a8b GetCurrentHwProfileW 329->351 353 5080a9b-5080cb4 351->353 375 5080cc7-5080d34 353->375 383 5080cc1-5080cc5 375->383 384 5080d36 375->384 383->375 384->384
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a055664c17c9d8777e60dea44ed4cd98df4357fb83a54191160028d61badb5c7
                                  • Instruction ID: 50c51698abe2ed7f91c4b17baac47cb852a2f99198184576918d7cf94962cac4
                                  • Opcode Fuzzy Hash: a055664c17c9d8777e60dea44ed4cd98df4357fb83a54191160028d61badb5c7
                                  • Instruction Fuzzy Hash: AB5149EB24D125BCB102E6817B38EFE676FE2D27307318466F887D5502E7944E8D5131
                                  Function 05080880 Relevance: 1.8, APIs: 1, Instructions: 308COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 385 5080880-5080a62 407 5080a73-5080a8b GetCurrentHwProfileW 385->407 409 5080a9b-5080cb4 407->409 431 5080cc7-5080d34 409->431 439 5080cc1-5080cc5 431->439 440 5080d36 431->440 439->431 440->440
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9a3aec71a2a728a6c072a72b273e4b8d201aa85ed183931da427d5740cd9d193
                                  • Instruction ID: 7d6127a6ba1601b9582ae3373546154997e25526b12c2ce046cf02407bfe1a72
                                  • Opcode Fuzzy Hash: 9a3aec71a2a728a6c072a72b273e4b8d201aa85ed183931da427d5740cd9d193
                                  • Instruction Fuzzy Hash: AF5157FB24D125BCB201E6817B78EFE676FE6D2730731846AF887D2502E7944A8E5131
                                  Function 05080897 Relevance: 1.8, APIs: 1, Instructions: 307COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 441 5080897-5080a62 462 5080a73-5080a8b GetCurrentHwProfileW 441->462 464 5080a9b-5080cb4 462->464 486 5080cc7-5080d34 464->486 494 5080cc1-5080cc5 486->494 495 5080d36 486->495 494->486 495->495
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7bb9ddbfffa4720bd48760a5e3ea961df87f6f45c9af746bfaad3feb6afb8479
                                  • Instruction ID: b363ef2bd87eabd85fe60571bc0602041b9f8b7b3db4a48efccf9f5510c7fcd4
                                  • Opcode Fuzzy Hash: 7bb9ddbfffa4720bd48760a5e3ea961df87f6f45c9af746bfaad3feb6afb8479
                                  • Instruction Fuzzy Hash: A7516AFB24D125BDB201E6817B38EFE6B6FE6D67307318466F887D6502E2940E8D5131
                                  Function 050808B4 Relevance: 1.8, APIs: 1, Instructions: 302COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 496 50808b4-5080a62 515 5080a73-5080a8b GetCurrentHwProfileW 496->515 517 5080a9b-5080cb4 515->517 539 5080cc7-5080d34 517->539 547 5080cc1-5080cc5 539->547 548 5080d36 539->548 547->539 548->548
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 1767b62319410129ad6e42b6e187f76a12c37e5e5246b8ba543ea4b80d2d1c63
                                  • Instruction ID: 22998253cca68d92cdb0f6acc6e7075954401e44bfb9344b80f3fbbd74df956c
                                  • Opcode Fuzzy Hash: 1767b62319410129ad6e42b6e187f76a12c37e5e5246b8ba543ea4b80d2d1c63
                                  • Instruction Fuzzy Hash: 74518DFB24D115BDB202E6817B38EFE6B6FE2D2730731846AF887D5502E3940A8D5131
                                  Function 05080925 Relevance: 1.8, APIs: 1, Instructions: 300COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 549 5080925-5080927 550 5080929-508092a 549->550 551 50808ec-5080920 549->551 552 50808ea 550->552 553 508092c-508092e 550->553 555 5080931-5080a62 551->555 552->551 553->555 570 5080a73-5080a8b GetCurrentHwProfileW 555->570 572 5080a9b-5080cb4 570->572 594 5080cc7-5080d34 572->594 602 5080cc1-5080cc5 594->602 603 5080d36 594->603 602->594 603->603
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3f4c6ad9070cb59c94093faa448dd34442478fc92e826eb22985ae2120776631
                                  • Instruction ID: 2aa720f947e94a8ae13acc87dd213137950e4a4438c5a6167ea0702d8cb7ef55
                                  • Opcode Fuzzy Hash: 3f4c6ad9070cb59c94093faa448dd34442478fc92e826eb22985ae2120776631
                                  • Instruction Fuzzy Hash: 27517BFB24D125BCB202E6817B38EFE6B6FE2D27307318466F887D5502E2840E8E5131
                                  Function 050808ED Relevance: 1.8, APIs: 1, Instructions: 292COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 604 50808ed-5080a62 621 5080a73-5080a8b GetCurrentHwProfileW 604->621 623 5080a9b-5080cb4 621->623 645 5080cc7-5080d34 623->645 653 5080cc1-5080cc5 645->653 654 5080d36 645->654 653->645 654->654
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 3b96d6efb0e0e256c6a096a61240bd90a5f9ac19036235cf34ca7c0a863208b1
                                  • Instruction ID: 7846f2a6da2fc17bdc3a1ef387e97a2a4fc713938069bc0286cb9f970d152a7f
                                  • Opcode Fuzzy Hash: 3b96d6efb0e0e256c6a096a61240bd90a5f9ac19036235cf34ca7c0a863208b1
                                  • Instruction Fuzzy Hash: BE514BFB24D125BCB102E6827B78EFE5A6FE2D27307318466F887D5502E7944E8E1531
                                  Function 05080906 Relevance: 1.8, APIs: 1, Instructions: 290COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 655 5080906-5080a62 670 5080a73-5080a8b GetCurrentHwProfileW 655->670 672 5080a9b-5080cb4 670->672 694 5080cc7-5080d34 672->694 702 5080cc1-5080cc5 694->702 703 5080d36 694->703 702->694 703->703
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 26d7a97092920e4ead48b521b640b62f9d0592d4e37f5e8c7bd520316d73cf7c
                                  • Instruction ID: c771b3876e6c01e56c353654c234e3fc22dc1976ffc449d8a6acba8da7aa9e7b
                                  • Opcode Fuzzy Hash: 26d7a97092920e4ead48b521b640b62f9d0592d4e37f5e8c7bd520316d73cf7c
                                  • Instruction Fuzzy Hash: AF514AFB24D125BCB252E6817B38EFE6B6FE2D27307318466F887D1502E6944E8E5131
                                  Function 05080913 Relevance: 1.8, APIs: 1, Instructions: 290COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 704 5080913-5080a62 718 5080a73-5080a8b GetCurrentHwProfileW 704->718 720 5080a9b-5080cb4 718->720 742 5080cc7-5080d34 720->742 750 5080cc1-5080cc5 742->750 751 5080d36 742->751 750->742 751->751
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 073ea9dd7e07b54f92e3486144c7f6229c54fe4396603b79495bb2e9a7d80389
                                  • Instruction ID: ab768a14b17b85e809cba5b41b638107198b8d38041cfa27bb795dcfd172beea
                                  • Opcode Fuzzy Hash: 073ea9dd7e07b54f92e3486144c7f6229c54fe4396603b79495bb2e9a7d80389
                                  • Instruction Fuzzy Hash: 145137FB24D125BCB152E6823B38EFF6A6FE2D27307318466F887D1502E6944E8E5131
                                  Function 0508094A Relevance: 1.8, APIs: 1, Instructions: 277COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 752 508094a-5080a62 762 5080a73-5080a8b GetCurrentHwProfileW 752->762 764 5080a9b-5080cb4 762->764 786 5080cc7-5080d34 764->786 794 5080cc1-5080cc5 786->794 795 5080d36 786->795 794->786 795->795
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f0fa27e08ec0fcf045bc226a56c671cff8975408d6eef026b476c99c8b94c344
                                  • Instruction ID: efecdea8840befdad4076bd14abc92a1f336a6428a4ef17ba499e77bbc99a9d2
                                  • Opcode Fuzzy Hash: f0fa27e08ec0fcf045bc226a56c671cff8975408d6eef026b476c99c8b94c344
                                  • Instruction Fuzzy Hash: 4F5138FB24D125BCB151E6823B38EFF676EE2D2730731846AF887D1502E6944E8E6131
                                  Function 05080961 Relevance: 1.8, APIs: 1, Instructions: 273COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6cc6519f748e8eb366a5a9fbc950bfb99731b294bcfef0fb8c6c91e5099575d4
                                  • Instruction ID: 6885365aa0efb641624c54d534dc25943a6bf256a3244300ff7edd619c5006e7
                                  • Opcode Fuzzy Hash: 6cc6519f748e8eb366a5a9fbc950bfb99731b294bcfef0fb8c6c91e5099575d4
                                  • Instruction Fuzzy Hash: 1F5146FB24D125BCB251E6823B78EFF676FE2D2730731846AF887D1506E6844A8E5031
                                  Function 05080986 Relevance: 1.8, APIs: 1, Instructions: 266COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e73a94005448a8801b5960f62665b5135fb4f0df531ec8301a1858c7b2067007
                                  • Instruction ID: 057c29871984c5511314360ea546a93e2c0ffc14e50282ba8be3cf44489a0bed
                                  • Opcode Fuzzy Hash: e73a94005448a8801b5960f62665b5135fb4f0df531ec8301a1858c7b2067007
                                  • Instruction Fuzzy Hash: 405117FB24D125BCB211E6823F38EFF6A6EE2D2730731846AF887D1506E6844E8D5531
                                  Function 0508098F Relevance: 1.8, APIs: 1, Instructions: 261COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: adafcf8e967dbe7f2f60f6785255570cfa558e647f59dc613a1be64a592fef67
                                  • Instruction ID: aeaac1d84820bb7495efedbae4b2f405a32ea713996d44d00825fdbb76dda84a
                                  • Opcode Fuzzy Hash: adafcf8e967dbe7f2f60f6785255570cfa558e647f59dc613a1be64a592fef67
                                  • Instruction Fuzzy Hash: AF5118EB24D125BCB112E6823F38EFF5B6EE2D27307318866F887D1506E6844E8D5131
                                  Function 050809AF Relevance: 1.8, APIs: 1, Instructions: 258COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a90d3c6835e596616e44cda608b90052ba47cbddabcd03a7ef93a3a553639318
                                  • Instruction ID: 6317c887222e30e54b1bee1e7eefa93c20d97fac2190d5f76270c9b9da80e03d
                                  • Opcode Fuzzy Hash: a90d3c6835e596616e44cda608b90052ba47cbddabcd03a7ef93a3a553639318
                                  • Instruction Fuzzy Hash: 24514AFB24D125BCB141E6913F38EFE6B6EE6D67307318866F887D2402E6840E8E5431
                                  Function 050809FB Relevance: 1.7, APIs: 1, Instructions: 238COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: db8e075dd730293a61a7e565b108c61bd85deefde8cc29f78f194078aac28784
                                  • Instruction ID: 5edb246bf42741aa31212c002981057c0f24fe355a28f2662ef5f12d421d80db
                                  • Opcode Fuzzy Hash: db8e075dd730293a61a7e565b108c61bd85deefde8cc29f78f194078aac28784
                                  • Instruction Fuzzy Hash: 2A416EFB24D125BCB242E6813F38EFE6B6EE6D273073184A6F887D5502E6854E8D5131
                                  Function 05080A48 Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 536baf778ee5b4591884045791fbdb7efc39aff60ee339cec5a5cb4fe7d05223
                                  • Instruction ID: fe7f7611ba1f72783765757143c5e55aab77164b9356979909312a6a4024b93a
                                  • Opcode Fuzzy Hash: 536baf778ee5b4591884045791fbdb7efc39aff60ee339cec5a5cb4fe7d05223
                                  • Instruction Fuzzy Hash: 3F416AFB24D125BCB241E6913B38EFF6B6EE2D27307318466F887D2406E6944E8E5431
                                  Function 0013A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 35d97661874be07c20d17ed04aaf1f5d2a34f1e3c8c6387e9b3f4a54131d9d47
                                  • Instruction ID: 885c3cc732375e752f200c1a6cb33d04e96cf05efb6d6a01533a9bcc953a7add
                                  • Opcode Fuzzy Hash: 35d97661874be07c20d17ed04aaf1f5d2a34f1e3c8c6387e9b3f4a54131d9d47
                                  • Instruction Fuzzy Hash: 55714971900204AFDB14DF68CC49BAFBBE8EF41700F60456DF8499B682D7B5DA81CB92
                                  Function 05080A1E Relevance: 1.7, APIs: 1, Instructions: 213COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 4e69df2fefdd20f983021b5455a1b3231776f0f4d732b684aebdc9d3f152cda0
                                  • Instruction ID: 3d827e5b4331103d06b9528b92f16f19ca6611134a54cb2699489e104cfa4e4b
                                  • Opcode Fuzzy Hash: 4e69df2fefdd20f983021b5455a1b3231776f0f4d732b684aebdc9d3f152cda0
                                  • Instruction Fuzzy Hash: B24106FB24D125BCB151E6823B38EFE6A6EE2D27307318866F887D1506E7944E8E5431
                                  Function 05080A2B Relevance: 1.7, APIs: 1, Instructions: 211COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2151f679e29c73bce6ef11b758726f90396e9951bf70ecffc40562272a407a5e
                                  • Instruction ID: e3096c79df81266ff4297861fbd5691a2c98f0fd92598cbfe0da7128561f2b31
                                  • Opcode Fuzzy Hash: 2151f679e29c73bce6ef11b758726f90396e9951bf70ecffc40562272a407a5e
                                  • Instruction Fuzzy Hash: F24118FB24D125BCB151E6823B38EFE6A6EE2D2B30731C466F887D1502E7944E8E5431
                                  Function 0022549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00219087,?,00000000,00000000,00000000,?,00000000,?,0013A3EB,00219087,00000000,0013A3EB,?,?), ref: 00225621
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 10c26e02cb8c9765ddbd9b1f326dd2b1d0ee5b9f954f0aa7c23b7b1ec966dfb4
                                  • Instruction ID: 3a355c0a43ae557ca1b21e5c05b76fb27b4c6347bfaaa7ab22396a029d6a84cd
                                  • Opcode Fuzzy Hash: 10c26e02cb8c9765ddbd9b1f326dd2b1d0ee5b9f954f0aa7c23b7b1ec966dfb4
                                  • Instruction Fuzzy Hash: C761AE7192053ABFDF119FE8E884AFEBBBAAF09304F548145E804A7205D375D9618BA0
                                  Function 05080A7D Relevance: 1.7, APIs: 1, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000081), ref: 05080A86
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505200126.0000000005080000.00000040.00001000.00020000.00000000.sdmp, Offset: 05080000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5080000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 3ef8e789e0d5dae6491cdfce8cfb11f3bd678c72b3d9631c0a36804bacb3ea6d
                                  • Instruction ID: f67accc7eb6d93ef1d826b4ed3fec5be4bf798f2608b73b338d35207cc76ff1f
                                  • Opcode Fuzzy Hash: 3ef8e789e0d5dae6491cdfce8cfb11f3bd678c72b3d9631c0a36804bacb3ea6d
                                  • Instruction Fuzzy Hash: 293148FB24D125BCB151E6813B38EFE6B6EE2D2B307318466F887D1502E7844E8E5031
                                  Function 001A06C0 Relevance: 1.7, APIs: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001A0807
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 72ae2a14724d4e83691c0531f3cf1eefdbecef984361d26ffcaed67d00a3d962
                                  • Instruction ID: c42d24567654f0d1385fe62ccfec02b01bb567509ddebee1d6e552dc58ba92c5
                                  • Opcode Fuzzy Hash: 72ae2a14724d4e83691c0531f3cf1eefdbecef984361d26ffcaed67d00a3d962
                                  • Instruction Fuzzy Hash: 3741567A9001149BCB16EF68DD815AEBBA5EF4A350F1002A9FC45D7342DB70AE618BE1
                                  Function 001A0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001A06AE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 20c88e65975a37eeb0c4c1df0e4a1fee91b35dcac9ad282aa7b3478fbba802d0
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: F141D476A001149FCB16EF68DD805AE7BE5AF8A350F150169FC09DB342D730DE618BE1
                                  Function 00224B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002249F9,00000000,CF830579,00261140,0000000C,00224AB5,00218BBD,?), ref: 00224B68
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: ca1af8afb9f479e971f3e4c1596a3aaa6035b290c135bbdf7a8ef185abdac113
                                  • Instruction ID: 521c9aa1984fc27cb4a8cd1f98c570a9f388312a70d27670815eba211bda2467
                                  • Opcode Fuzzy Hash: ca1af8afb9f479e971f3e4c1596a3aaa6035b290c135bbdf7a8ef185abdac113
                                  • Instruction Fuzzy Hash: 7B114833E741347BDA247AF5B805B7E678D8B82778F290249F8149B4C2EFA0D8624596
                                  Function 0021E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00260DF8,0013A3EB,00000002,0013A3EB,00000000,?,?,?,0021E166,00000000,?,0013A3EB,00000002,00260DF8), ref: 0021E098
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: be05b63e29a8d01928c54a4e5e42a7ea787db12c96a648dc269af2e4382c2c6a
                                  • Instruction ID: 9c1f8a6ae344f23f7dc56b368b2c7eb253505d94e88e0f6a41af6923220ba7fa
                                  • Opcode Fuzzy Hash: be05b63e29a8d01928c54a4e5e42a7ea787db12c96a648dc269af2e4382c2c6a
                                  • Instruction Fuzzy Hash: A4014932620515AFCF159F59DC05CDE3BA9DB95330F250258FC50AB2D1EAB2EDA18BD0
                                  Function 0020F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0013220E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 0647994880ecef6210d877e75e65b0a585e2c277952343184b95ebfeb14f2cce
                                  • Instruction ID: c6e3883adea6c022a6bf92facde348416d3fdcb6b4dc74f47bc47e5833cc709b
                                  • Opcode Fuzzy Hash: 0647994880ecef6210d877e75e65b0a585e2c277952343184b95ebfeb14f2cce
                                  • Instruction Fuzzy Hash: FD012B7541430DABCB24AFA8E80299977ECDE00350F444435FE18DB991EB70E9B08B90
                                  Function 002263F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,002191F7,00000000,?,00225D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0021D244,002189C3,002191F7,00000000), ref: 00226434
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 8ce0a76dafce71c88eaa9f2b83f9f34fd7c06ce9a47bdaaa168864d6c89e4289
                                  • Instruction ID: 3303a7fe81f8e1335776e589ae81169d1bc26a9fcdc5f5e85026cd03071e73cc
                                  • Opcode Fuzzy Hash: 8ce0a76dafce71c88eaa9f2b83f9f34fd7c06ce9a47bdaaa168864d6c89e4289
                                  • Instruction Fuzzy Hash: FBF05433565135B69B317FE2BC0AB5B7B899B81B64B258061E884A6590CA70EC31C6F1
                                  Function 00226E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0022D635,4D88C033,?,0022D635,00000220,?,002257EF,4D88C033), ref: 00226E60
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: d29274f376375a2a7be2adaf77ddeb815745d13ee91522c528cea3d02b66fcc5
                                  • Instruction ID: 480cdf98c244bf818f7a5cfecc5cce5046569820bae2573d6e5a9c09f8b54486
                                  • Opcode Fuzzy Hash: d29274f376375a2a7be2adaf77ddeb815745d13ee91522c528cea3d02b66fcc5
                                  • Instruction Fuzzy Hash: 6EE0ED3B130632BADA312AE5FD08FAB76888B927A0F170120FC14924D2CB60C83085A4
                                  Function 050901BA Relevance: .1, Instructions: 140COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9b9afb4d4b39188a0f20031ef0568bfb4920345c24dfc7b384112a4cd0a22b50
                                  • Instruction ID: 0a8c38a067547a331136391d4d2a679034acb992293eae15733d6c7dc3cc440c
                                  • Opcode Fuzzy Hash: 9b9afb4d4b39188a0f20031ef0568bfb4920345c24dfc7b384112a4cd0a22b50
                                  • Instruction Fuzzy Hash: C62162EB24C1507DB546C5867F28EFEAB6EE5D7B30331843BF442C5146E2864A4E6171
                                  Function 0509023E Relevance: .1, Instructions: 127COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b3ea46bc3c618e9fd1d4256371126f4a1b15e3e38b27fc2485b25a2378bad3ce
                                  • Instruction ID: 27ec40f9933753843a1586f3dd663b122c3cbe594660ad4996aaf5296b8b9474
                                  • Opcode Fuzzy Hash: b3ea46bc3c618e9fd1d4256371126f4a1b15e3e38b27fc2485b25a2378bad3ce
                                  • Instruction Fuzzy Hash: 76215EEB2881107E7542C5867F28EFFAB6EE5D7B70331C43BF902C6506E2954A4E6171
                                  Function 05090237 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d76900492852f16365f70fb44fde9c1efccc13420c8e216dabf9552625e0ef38
                                  • Instruction ID: acfe74b925f78f19894e1c8398ff9da54d9b2e078c8b254204e60dd8d96870c9
                                  • Opcode Fuzzy Hash: d76900492852f16365f70fb44fde9c1efccc13420c8e216dabf9552625e0ef38
                                  • Instruction Fuzzy Hash: 93113AEB288110BE7542C1867F28EFFAB6EE5D6B70331C43BF802C2506E2D54A4E6131
                                  Function 05090291 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: de1b34815465c396f000e70b720b1aa8839f5c1f99d073548b5e4eb059224810
                                  • Instruction ID: be98d22b5aa1c2c8a6994d427e04a97678369247d3d4c99a7c174ce1f45a32ef
                                  • Opcode Fuzzy Hash: de1b34815465c396f000e70b720b1aa8839f5c1f99d073548b5e4eb059224810
                                  • Instruction Fuzzy Hash: 5C015EEF188010BE7542C1867B28AFEAB6FE5C7B30371C427F842C1506E2D54A4D6131
                                  Function 0509029D Relevance: .1, Instructions: 81COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 942ad7058cc9ffe01416412679ba928cf7d57bcced4f1ebe1c72600bdd5b8ec6
                                  • Instruction ID: 4c76524984c0477bbc0344da58aa944543e6ba2c2222ca7cf1def15cc31c39c8
                                  • Opcode Fuzzy Hash: 942ad7058cc9ffe01416412679ba928cf7d57bcced4f1ebe1c72600bdd5b8ec6
                                  • Instruction Fuzzy Hash: 72015EAF188010BEB956C6867B28AFEA77EE5D7B30371C437F842C1416E3954A4DA231
                                  Function 05090332 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b08476470e74e9441c49cf9cb8ea9421768f6d6ea3eb7fc28b7aec00e234c2a6
                                  • Instruction ID: c8c02cf94d8c58471321d245b36245b83688055627a499ff1579800efd3129af
                                  • Opcode Fuzzy Hash: b08476470e74e9441c49cf9cb8ea9421768f6d6ea3eb7fc28b7aec00e234c2a6
                                  • Instruction Fuzzy Hash: 5801D8BB148114BE6652D1853B29BFEBB6FEAC6B30371C42BF802C5415D2954A49A131
                                  Function 050902CF Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4505277155.0000000005090000.00000040.00001000.00020000.00000000.sdmp, Offset: 05090000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_5090000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1fba4a2f424770dea158e84b9ab80bd643f33423e42adf61849450744da981de
                                  • Instruction ID: f1409bb23e14e2800e6e2fc2ea808c700c6c47f627e45ff2a3e7591e9cd82275
                                  • Opcode Fuzzy Hash: 1fba4a2f424770dea158e84b9ab80bd643f33423e42adf61849450744da981de
                                  • Instruction Fuzzy Hash: 7F01A2FB148114BF6652D1957B29AFEBB6FE6C6B30331C42BF842C6016D2964A49A131

                                  Non-executed Functions

                                  Function 002184A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: bde0113280cfbda9c95275b2583dce71ed5cd7b5b2f1ff4133e380229173fa05
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 4D025B71E1121A9BDF14CFA8C8C06EEFBF5FF58314F258269D919A7380DB31A9518B90
                                  Function 0019F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0019F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0019F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0019FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"%
                                  • API String ID: 3375549084-2785405677
                                  • Opcode ID: 4a54bf5f6e3152a018bb00732e1ad6b7508442f0a4e6be0fa36ab11bad9f5f2d
                                  • Instruction ID: ee9b7f4059d942a84a4923003dc0c330985f7655f3f5f0108cb6b216cd744a21
                                  • Opcode Fuzzy Hash: 4a54bf5f6e3152a018bb00732e1ad6b7508442f0a4e6be0fa36ab11bad9f5f2d
                                  • Instruction Fuzzy Hash: 0F617CB1D10208EBEF10DFA4D849B9EBBF4AF14714F184468E805E7381E775AD56CB91
                                  Function 00212E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00212E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00212E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00212ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00212F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00212F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i&$csm
                                  • API String ID: 1170836740-3583052009
                                  • Opcode ID: 502c7fd2cc1b6305c62e736f76ed96174aa6e38b662974a43a9185f2d4dd9457
                                  • Instruction ID: 7f0d160eddc657807d555fb2c4130da08c0cff65e6a9c9554e2eb7bae3c02c9b
                                  • Opcode Fuzzy Hash: 502c7fd2cc1b6305c62e736f76ed96174aa6e38b662974a43a9185f2d4dd9457
                                  • Instruction Fuzzy Hash: B3419230A20209DBCF10DF68D885ADEBBF5EF55324F148055F9149B292D732EAB9CB91
                                  Function 001339F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00133A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00133AA4
                                  • __Getctype.LIBCPMT ref: 00133ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00133AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00133B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 39bd3b24db54c8945a5bd8bbaffa1dc1c88ce69294c0efdb10762d82777e3811
                                  • Instruction ID: 60b0b95d657660890123011f12d31e36870daadeb48752eb23c3c8ce6cd24115
                                  • Opcode Fuzzy Hash: 39bd3b24db54c8945a5bd8bbaffa1dc1c88ce69294c0efdb10762d82777e3811
                                  • Instruction Fuzzy Hash: F3513CB1D00348DBEF10DFA4D845B9EFBB8AF14310F144069E809AB382E775DA58CBA5
                                  Function 0019DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0019DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0019DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0019DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0019DF7B
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: db6ba1707d3abd9644993d4242b9ed1c54b2dd77ded878fd3753c344aa5ea57b
                                  • Instruction ID: 5bbc7e19c18dc5cbb7f804ee8bc3cc3c85cc3a2ec7f3de1f221a2ef33f8ba2f8
                                  • Opcode Fuzzy Hash: db6ba1707d3abd9644993d4242b9ed1c54b2dd77ded878fd3753c344aa5ea57b
                                  • Instruction Fuzzy Hash: C4412672910219DFCF14DF94E986A6EBBB4FB10720F148268E8156B392D770AD11CBD1
                                  Function 00134C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00134F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00134FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001350C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 0013504C
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 0a0d4c7e6a91c7fd64ca2dbfd56b5b28e2ee5424e2a6f1f2aa536e4814f4f92b
                                  • Instruction ID: 253f524e4b1548819be38e26e859700b79edce99598856a978eeba78fb40dec4
                                  • Opcode Fuzzy Hash: 0a0d4c7e6a91c7fd64ca2dbfd56b5b28e2ee5424e2a6f1f2aa536e4814f4f92b
                                  • Instruction Fuzzy Hash: 4AE1E2B19106049FCB28DF68D845BAEBBF9FF44300F148A2DE45693B81E774B954CBA1
                                  Function 00137820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0013799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00137B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 540c24e0f071101a32b1eca3f3cc57115b9605288b9a43b435352324834673d2
                                  • Instruction ID: 0873fba22ab0ce2be53dfb639add407632513e482b25baa43b04831e90967bc9
                                  • Opcode Fuzzy Hash: 540c24e0f071101a32b1eca3f3cc57115b9605288b9a43b435352324834673d2
                                  • Instruction Fuzzy Hash: C7C157B19002089FDB18CFA8D984B9DFBF5FF49310F14866AE419EB781E774A984CB54
                                  Function 00132270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00132275
                                    • Part of subcall function 0020D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0020D6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L&$L&
                                  • API String ID: 1997705970-2440114816
                                  • Opcode ID: caede21bbe6da2d8325baf246a4404f57dd146b58e2bb040046a6ae201ebde9e
                                  • Instruction ID: 5b3de2f90b9657f3117d96fcc1dd6357183e1885e244b762af2c0565347044f0
                                  • Opcode Fuzzy Hash: caede21bbe6da2d8325baf246a4404f57dd146b58e2bb040046a6ae201ebde9e
                                  • Instruction Fuzzy Hash: 9A811275A042899FDB06DF68C460BEEBFF1FF6A300F18416AC894A7782C3758545CBA1
                                  Function 001373B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001375BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001375CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 4180e295cf1a2fe8dd93279fc840884f7f2da454b04d9ef6da9f47839da57658
                                  • Instruction ID: e713cffd93a8342dc265857860f14b9b779d03d1872c0bdf27575f4e9eea48ee
                                  • Opcode Fuzzy Hash: 4180e295cf1a2fe8dd93279fc840884f7f2da454b04d9ef6da9f47839da57658
                                  • Instruction Fuzzy Hash: 2061E1B0A002049FDB1CDF68DC94BADBBB6FF45300F244628E415A7BC2D774AA948B91
                                  Function 00133D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00133E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 64febd75ea1defa470ad7b3011e45b44c48d1f549c5fe142f83530c4ebef8e78
                                  • Instruction ID: 2d5e31264e3a3d13f64ec59032cca74881ff3375f8c859c39f11909fe2193e10
                                  • Opcode Fuzzy Hash: 64febd75ea1defa470ad7b3011e45b44c48d1f549c5fe142f83530c4ebef8e78
                                  • Instruction Fuzzy Hash: 4841E5B2900208AFCB04DF58D845BEEB7F8EF49310F14852AF929D7741E770AA518BA4
                                  Function 00133DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00133E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 2a08587c746d88124f316b24918324e75a92d8b8ac6f7c870d5a50c47ae9d4a3
                                  • Instruction ID: cc3c1446fa671a292058142bfe81be661c9c41c6035c3aacaf34c4e00ddd5208
                                  • Opcode Fuzzy Hash: 2a08587c746d88124f316b24918324e75a92d8b8ac6f7c870d5a50c47ae9d4a3
                                  • Instruction Fuzzy Hash: 0B212BB2910304AFC714DF58D805B96B7DCAB15310F08883AFE78C7641E770EA64CB94
                                  Function 00136F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00137340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 4783d47757e759f9e3b0418e43315489b6121af0f7b18089215b1e1010609783
                                  • Instruction ID: ef308799dead33717b3887087c51cdcc24be091f2186bd8655a685de9c041b42
                                  • Opcode Fuzzy Hash: 4783d47757e759f9e3b0418e43315489b6121af0f7b18089215b1e1010609783
                                  • Instruction Fuzzy Hash: 2CE16EB19042488FDB18CF68C994BADBBF1FF49300F248269E418EB792D7749A85CF51
                                  Function 00136C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00136F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00136F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 04a5be585f3883f481887d485d151d6fb3d9bc38d423d5a7fe33530e531bd164
                                  • Instruction ID: 39e1b33da134756bc4e5c3fb801c1326f2bee5662c519cc35e6b94a182fde5f8
                                  • Opcode Fuzzy Hash: 04a5be585f3883f481887d485d151d6fb3d9bc38d423d5a7fe33530e531bd164
                                  • Instruction Fuzzy Hash: 4391D470A002049FDB18CF68D994BAEBBF6FF45300F20866CE459AB792D775A985CB50
                                  Function 001AE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001AE491
                                  Strings
                                  • type must be boolean, but is , xrefs: 001AE582
                                  • type must be string, but is , xrefs: 001AE4F8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.4496595662.0000000000131000.00000040.00000001.01000000.00000006.sdmp, Offset: 00130000, based on PE: true
                                  • Associated: 0000000A.00000002.4496465970.0000000000130000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496595662.0000000000263000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4496987481.0000000000268000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000026C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.00000000004DF000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000518000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.0000000000521000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4497054948.000000000052F000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498121363.0000000000530000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.4498469107.00000000006D9000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_130000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: ada7ecae50ea3af7e7b299258ca7013531d35b153ffce0ec69130373915f08c8
                                  • Instruction ID: 50c3bfae8fa7e8564c86067a1522744ef176f232a6406315d3c94f091652707f
                                  • Opcode Fuzzy Hash: ada7ecae50ea3af7e7b299258ca7013531d35b153ffce0ec69130373915f08c8
                                  • Instruction Fuzzy Hash: 5F419CB9904248AFDB14EBA4D802BAEB7ECDB15300F144574F805D7682EB35EA54C791