Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_151.exe

Overview

General Information

Sample name:LisectAVT_2403002A_151.exe
Analysis ID:1482488
MD5:a528d71182717541346487642bb54dd2
SHA1:7c9b47714dfce098237d5df9381fcbe1d856f41d
SHA256:f4880369ec64ebb35bbf6231f9275d82a878e6c3cdfb75468ea1d529b895892d
Tags:exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_151.exe (PID: 6456 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_151.exe" MD5: A528D71182717541346487642BB54DD2)
    • schtasks.exe (PID: 6952 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7052 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 5804 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A528D71182717541346487642BB54DD2)
  • MPGPH131.exe (PID: 2932 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A528D71182717541346487642BB54DD2)
  • RageMP131.exe (PID: 7196 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A528D71182717541346487642BB54DD2)
  • RageMP131.exe (PID: 7456 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A528D71182717541346487642BB54DD2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe, ProcessId: 6456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T23:42:32.818118+0200
            SID:2049060
            Source Port:49731
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:46.250615+0200
            SID:2022930
            Source Port:443
            Destination Port:49734
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:27.536551+0200
            SID:2049060
            Source Port:49730
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:35.811823+0200
            SID:2046269
            Source Port:49731
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:35.811723+0200
            SID:2046269
            Source Port:49732
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:30.525266+0200
            SID:2046269
            Source Port:49730
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:53.202466+0200
            SID:2046269
            Source Port:49740
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:42:45.437263+0200
            SID:2046269
            Source Port:49733
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T23:43:26.815937+0200
            SID:2022930
            Source Port:443
            Destination Port:49741
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_151.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: TR/Crypt.TPM.Gen
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_151.exeJoe Sandbox ML: detected
            Source: LisectAVT_2403002A_151.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 193.233.132.62 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.233.132.62:58709
            Source: Joe Sandbox ViewIP Address: 193.233.132.62 193.233.132.62
            Source: Joe Sandbox ViewIP Address: 193.233.132.62 193.233.132.62
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.62
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009DE0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,0_2_009DE0A0
            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: MPGPH131.exe, RageMP131.exeString found in binary or memory: https://ipinfo.io/
            Source: LisectAVT_2403002A_151.exe, 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_151.exe, 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT2
            Source: MPGPH131.exe, RageMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

            System Summary

            barindex
            PE file contains section with special chars
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009CB6A00_2_009CB6A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D5B900_2_009D5B90
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D7DC00_2_009D7DC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009C91A00_2_009C91A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4E1400_2_00A4E140
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D92590_2_009D9259
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A563D00_2_00A563D0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4F3600_2_00A4F360
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00AA84A00_2_00AA84A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4E4900_2_00A4E490
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009C24F00_2_009C24F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00AA646A0_2_00AA646A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A465500_2_00A46550
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D66890_2_009D6689
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4F6000_2_00A4F600
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A498800_2_00A49880
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A568C00_2_00A568C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E00_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00AB98240_2_00AB9824
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4F8100_2_00A4F810
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4E9100_2_00A4E910
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A45B200_2_00A45B20
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00AABB6D0_2_00AABB6D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00AA2CE00_2_00AA2CE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A46C000_2_00A46C00
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D8C580_2_009D8C58
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A4BD500_2_00A4BD50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00AABEAF0_2_00AABEAF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A43F800_2_00A43F80
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D9F500_2_009D9F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F7E3E5_2_005F7E3E
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005EB6A05_2_005EB6A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006D98245_2_006D9824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066F8105_2_0066F810
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E05_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006698805_2_00669880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066E1405_2_0066E140
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066E9105_2_0066E910
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005E91A05_2_005E91A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F92595_2_005F9259
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006CBB6D5_2_006CBB6D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066F3605_2_0066F360
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00665B205_2_00665B20
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F5B905_2_005F5B90
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006C646A5_2_006C646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F8C585_2_005F8C58
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00666C005_2_00666C00
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006C2CE05_2_006C2CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005E24F05_2_005E24F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006C84A05_2_006C84A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066E4905_2_0066E490
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006665505_2_00666550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066BD505_2_0066BD50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0066F6005_2_0066F600
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006CBEAF5_2_006CBEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F9F505_2_005F9F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00663F805_2_00663F80
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005EB6A06_2_005EB6A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F5B906_2_005F5B90
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F7DC06_2_005F7DC0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066E1406_2_0066E140
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005E91A06_2_005E91A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F92596_2_005F9259
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066F3606_2_0066F360
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006763D06_2_006763D0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006C646A6_2_006C646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005E24F06_2_005E24F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006C84A06_2_006C84A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066E4906_2_0066E490
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006665506_2_00666550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066F6006_2_0066F600
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F66896_2_005F6689
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006D98246_2_006D9824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066F8106_2_0066F810
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006768C06_2_006768C0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E06_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006698806_2_00669880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066E9106_2_0066E910
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006CBB6D6_2_006CBB6D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00665B206_2_00665B20
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F8C586_2_005F8C58
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00666C006_2_00666C00
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006C2CE06_2_006C2CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0066BD506_2_0066BD50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006CBEAF6_2_006CBEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F9F506_2_005F9F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00663F806_2_00663F80
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00E9B6A07_2_00E9B6A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA7E3E7_2_00EA7E3E
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E07_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F198807_2_00F19880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F898247_2_00F89824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1F8107_2_00F1F810
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00E991A07_2_00E991A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1E1407_2_00F1E140
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1E9107_2_00F1E910
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA92597_2_00EA9259
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA5B907_2_00EA5B90
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1F3607_2_00F1F360
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F7BB6D7_2_00F7BB6D
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F15B207_2_00F15B20
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F72CE07_2_00F72CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00E924F07_2_00E924F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F784A07_2_00F784A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1E4907_2_00F1E490
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F7646A7_2_00F7646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA8C587_2_00EA8C58
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F16C007_2_00F16C00
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F165507_2_00F16550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1BD507_2_00F1BD50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F7BEAF7_2_00F7BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F1F6007_2_00F1F600
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F13F807_2_00F13F80
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA9F507_2_00EA9F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: String function: 00F6FED0 appears 31 times
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: String function: 00A9FED0 appears 31 times
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 006BFED0 appears 62 times
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 006BF4FC appears 46 times
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 006CFD51 appears 34 times
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2913002181.0000000004DCF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
            Source: LisectAVT_2403002A_151.exe, 00000000.00000000.1649743770.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
            Source: LisectAVT_2403002A_151.exeBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_151.exe
            Source: LisectAVT_2403002A_151.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: LisectAVT_2403002A_151.exeStatic PE information: Section: ZLIB complexity 0.9991561823593074
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9991561823593074
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9991561823593074
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@0/1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: nIn5_2_006E48C0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: nIn6_2_006E48C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: LisectAVT_2403002A_151.exe, 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_151.exe, 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: LisectAVT_2403002A_151.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: LisectAVT_2403002A_151.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe "C:\Users\user\Desktop\LisectAVT_2403002A_151.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: LisectAVT_2403002A_151.exeStatic file information: File size 3193864 > 1048576
            Source: LisectAVT_2403002A_151.exeStatic PE information: Raw size of qzmhftlj is bigger than: 0x100000 < 0x275400

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeUnpacked PE file: 0.2.LisectAVT_2403002A_151.exe.9c0000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 5.2.MPGPH131.exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.5e0000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 7.2.RageMP131.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 9.2.RageMP131.exe.e90000.0.unpack :EW;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;qzmhftlj:EW;bkynihaq:EW;.taggant:EW;
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D9F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,0_2_009D9F50
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: RageMP131.exe.0.drStatic PE information: real checksum: 0x315411 should be: 0x30f84d
            Source: MPGPH131.exe.0.drStatic PE information: real checksum: 0x315411 should be: 0x30f84d
            Source: LisectAVT_2403002A_151.exeStatic PE information: real checksum: 0x315411 should be: 0x30f84d
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name: qzmhftlj
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name: bkynihaq
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name: .taggant
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name: qzmhftlj
            Source: RageMP131.exe.0.drStatic PE information: section name: bkynihaq
            Source: RageMP131.exe.0.drStatic PE information: section name: .taggant
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name: qzmhftlj
            Source: MPGPH131.exe.0.drStatic PE information: section name: bkynihaq
            Source: MPGPH131.exe.0.drStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A9FA97 push ecx; ret 0_2_00A9FAAA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009E1B20 push esi; ret 0_2_009E1B22
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_006BFA97 push ecx; ret 5_2_006BFAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F7D53 push edi; retf 000Ch5_2_005F7D56
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_006BFA97 push ecx; ret 6_2_006BFAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00601B20 push esi; ret 6_2_00601B22
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00F6FA97 push ecx; ret 7_2_00F6FAAA
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA7D53 push edi; retf 000Ch7_2_00EA7D56
            Source: LisectAVT_2403002A_151.exeStatic PE information: section name: entropy: 7.983746449936841
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.983746449936841
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.983746449936841
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A43F80 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00A43F80

            Malware Analysis System Evasion

            barindex
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: B00270 second address: AFFBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F4860DEC972h 0x00000011 push dword ptr [ebp+122D0F11h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D1CB6h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D2535h], ebx 0x00000025 xor eax, eax 0x00000027 xor dword ptr [ebp+122D2535h], edx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007F4860DEC96Ah 0x00000036 mov dword ptr [ebp+122D38ACh], eax 0x0000003c cmc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ebx, dword ptr [ebp+122D37ECh] 0x00000049 mov ch, dh 0x0000004b popad 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 sub dword ptr [ebp+122D2535h], edi 0x00000056 lodsw 0x00000058 jmp 00007F4860DEC977h 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007F4860DEC974h 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D299Dh], ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jmp 00007F4860DEC96Dh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C85142 second address: C85151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DF3FC6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C85151 second address: C85157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C85157 second address: C85175 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DF3FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4860DF3FC6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C85175 second address: C85179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C85179 second address: C8517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C7809D second address: C780BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4860DEC978h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C780BF second address: C780DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FD7h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C780DB second address: C780EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Bh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84737 second address: C8476D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4860DF3FC6h 0x0000000d ja 00007F4860DF3FC6h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4860DF3FD7h 0x0000001c ja 00007F4860DF3FCCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C8476D second address: C84771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84771 second address: C84785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DF3FCEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84785 second address: C84789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A07 second address: C84A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A0B second address: C84A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F4860DEC966h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A1C second address: C84A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A24 second address: C84A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F4860DEC976h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A46 second address: C84A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A4E second address: C84A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C84A54 second address: C84A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA763B second address: CA7661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DEC972h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4860DEC96Eh 0x00000011 js 00007F4860DEC966h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7661 second address: CA767E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DF3FD9h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7838 second address: CA783E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA783E second address: CA7863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4860DF3FD1h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7863 second address: CA7869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7869 second address: CA7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4860DF3FC6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7873 second address: CA7877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7877 second address: CA788F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4860DF3FCEh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA7CD8 second address: CA7CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4860DEC966h 0x00000009 jne 00007F4860DEC966h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F4860DEC966h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA8162 second address: CA8166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA82DB second address: CA82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F4860DEC96Dh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F4860DEC966h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA82FB second address: CA8301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA846E second address: CA8473 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CA8EE1 second address: CA8EEB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DF3FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CAE767 second address: CAE774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4860DEC966h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB0BF2 second address: CB0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB0BF6 second address: CB0BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB0BFC second address: CB0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4860DF3FCCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4860DF3FCEh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D25 second address: CB4D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D2B second address: CB4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4860DF3FD2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D37 second address: CB4D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D3D second address: CB4D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D45 second address: CB4D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC971h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D5A second address: CB4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD4h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB4D7B second address: CB4DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jp 00007F4860DEC966h 0x0000000e jmp 00007F4860DEC96Bh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4860DEC979h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C7B670 second address: C7B676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C7B676 second address: C7B6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DEC96Eh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F4860DEC977h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C7B6BB second address: C7B6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB7167 second address: CB7171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4860DEC966h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB7171 second address: CB7183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4860DF3FC6h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB7183 second address: CB71A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4860DEC976h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB73CE second address: CB73D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB73D5 second address: CB73E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB73E3 second address: CB73E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB73E8 second address: CB73F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB78B9 second address: CB78C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB7947 second address: CB7958 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB7958 second address: CB795C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB7E1A second address: CB7E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F4860DEC966h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB8383 second address: CB8389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB8BE8 second address: CB8BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB8A6D second address: CB8A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB951E second address: CB9532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB8A78 second address: CB8A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB976A second address: CB976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CB9532 second address: CB9538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CBADA7 second address: CBADC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jnc 00007F4860DEC966h 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CBDA86 second address: CBDA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC0A9B second address: CC0B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 325ACBEAh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DEC968h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d call 00007F4860DEC975h 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D2A49h], eax 0x00000039 pop edi 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F4860DEC968h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 jnl 00007F4860DEC96Ch 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC0B32 second address: CC0B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1AE1 second address: CC1AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1AE7 second address: CC1B6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4860DF3FD7h 0x00000012 nop 0x00000013 or dword ptr [ebp+1248708Eh], ebx 0x00000019 mov di, 32B0h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F4860DF3FC8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4860DF3FC8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 movzx ebx, si 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4860DF3FCEh 0x00000061 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC0C94 second address: CC0C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC2ACE second address: CC2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1D2D second address: CC1D3F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F4860DEC96Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1D3F second address: CC1DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add bx, B8FAh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F4860DF3FC8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F4860DF3FC8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov eax, dword ptr [ebp+122D173Dh] 0x00000055 mov dword ptr [ebp+122D2A2Eh], ebx 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, dword ptr [ebp+122D2A66h] 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1DB5 second address: CC1DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1DB9 second address: CC1DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC1DBD second address: CC1DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC5A29 second address: CC5A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC6B15 second address: CC6B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC9376 second address: CC937C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC937C second address: CC9383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCB171 second address: CCB18E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCB18E second address: CCB198 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCB198 second address: CCB1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D2BB7h], esi 0x00000012 mov edi, dword ptr [ebp+122D3A94h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D37C8h] 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F4860DF3FC6h 0x00000045 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC9427 second address: CC942B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCB1E6 second address: CCB1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CC942B second address: CC943F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCB1EC second address: CCB1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCC182 second address: CCC187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCC187 second address: CCC18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCB418 second address: CCB422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCD254 second address: CCD2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push esi 0x0000000b call 00007F4860DF3FCEh 0x00000010 mov edi, dword ptr [ebp+122D1CE9h] 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 cld 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F4860DF3FC8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 jmp 00007F4860DF3FCEh 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCD42D second address: CCD433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCD433 second address: CCD4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 jmp 00007F4860DF3FD5h 0x0000000d pop ecx 0x0000000e nop 0x0000000f and ebx, dword ptr [ebp+122D2A0Bh] 0x00000015 add di, F602h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 sub dword ptr [ebp+122D316Ch], ecx 0x0000002e mov eax, dword ptr [ebp+122D1255h] 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F4860DF3FC8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e movsx ebx, di 0x00000051 mov dword ptr [ebp+122D2BBEh], ecx 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+122D2C1Bh] 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F4860DF3FCCh 0x00000069 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCE4B3 second address: CCE4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCD4B6 second address: CCD4CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCD4CD second address: CCD4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F4860DEC966h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CCD4E0 second address: CCD4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CD04FD second address: CD0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4860DEC978h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CD0522 second address: CD0528 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CD0528 second address: CD052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CD13EF second address: CD13F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CD13F5 second address: CD13F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CD06D0 second address: CD06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DF3FC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DF3FCCh 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CDC144 second address: CDC154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4860DEC96Ah 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CDC154 second address: CDC163 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CDC163 second address: CDC16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C72D59 second address: C72D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DF3FCCh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C72D7D second address: C72DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4860DEC979h 0x00000010 jmp 00007F4860DEC96Fh 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CE234B second address: CE2351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CE2351 second address: CE2357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CE2357 second address: CE235D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEEB05 second address: CEEB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F4860DEC96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4860DEC96Fh 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEEB2B second address: CEEB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CECB85 second address: CECB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CECB89 second address: CECB93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CECB93 second address: CECB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CECCC4 second address: CECCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CECCE1 second address: CECCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC978h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CECCFD second address: CECD01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED2DD second address: CED2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED2E3 second address: CED2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED2E7 second address: CED2F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED716 second address: CED720 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DF3FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED720 second address: CED726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED868 second address: CED86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED86C second address: CED870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED870 second address: CED87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED87C second address: CED880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CED880 second address: CED884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEDB79 second address: CEDB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEDB7D second address: CEDB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEDB8B second address: CEDBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F4860DEC979h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F4860DEC966h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEDBC4 second address: CEDBC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEE953 second address: CEE968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEE968 second address: CEE973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4860DF3FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEE973 second address: CEE981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEE981 second address: CEE993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4860DF3FC6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CEE993 second address: CEE9B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC972h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F4860DEC966h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF6557 second address: CF656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FCAh 0x00000009 je 00007F4860DF3FDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF5F78 second address: CF5F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF60BD second address: CF60CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4860DF3FC6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF60CC second address: CF60D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF60D2 second address: CF60DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4860DF3FC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF60DF second address: CF60EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF60EE second address: CF60F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF6299 second address: CF629D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF629D second address: CF62AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4860DF3FC6h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF62AB second address: CF62B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CF62B7 second address: CF62BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C748DF second address: C7490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F4860DEC966h 0x0000000c jne 00007F4860DEC966h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F4860DEC966h 0x0000001b jmp 00007F4860DEC972h 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C7490C second address: C74912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D115AC second address: D115CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DEC966h 0x0000000a jo 00007F4860DEC966h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4860DEC966h 0x00000019 jns 00007F4860DEC966h 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D115CB second address: D115CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D115CF second address: D115E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F4860DEC96Eh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D13700 second address: D13721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4860DF3FD2h 0x0000000f jnc 00007F4860DF3FC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D13721 second address: D13735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F4860DEC96Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D13735 second address: D1374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F4860DF3FCBh 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1D22E second address: D1D234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1D234 second address: D1D238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1D238 second address: D1D23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1D23C second address: D1D246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1D246 second address: D1D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CDB8 second address: D1CDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4860DF3FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CDC9 second address: D1CDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CDCD second address: D1CDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CF24 second address: D1CF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CF28 second address: D1CF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CF2E second address: D1CF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CF34 second address: D1CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4860DF3FC6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CF40 second address: D1CF46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1CF46 second address: D1CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4860DF3FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1F7A4 second address: D1F7CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4860DEC971h 0x00000008 jmp 00007F4860DEC96Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DEC974h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D1F7CD second address: D1F7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C6DBB2 second address: C6DBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: C6DBB6 second address: C6DC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F4860DF3FC6h 0x0000000f jmp 00007F4860DF3FD6h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F4860DF3FC6h 0x0000001e jmp 00007F4860DF3FCAh 0x00000023 popad 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F4860DF3FCDh 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D21076 second address: D2108A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4860DEC96Eh 0x00000008 jnp 00007F4860DEC966h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D2108A second address: D21090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D37862 second address: D37882 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4860DEC970h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4860DEC966h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D37882 second address: D3788E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4860DF3FC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D3770A second address: D3770E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D39028 second address: D3902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D3BC03 second address: D3BC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4860DEC968h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D3BC11 second address: D3BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5F24A second address: D5F24E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5F24E second address: D5F298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4860DF3FD3h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4860DF3FD5h 0x00000018 jmp 00007F4860DF3FD4h 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5F298 second address: D5F2A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FB07 second address: D5FB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FB0D second address: D5FB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FB11 second address: D5FB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FF70 second address: D5FF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4860DEC972h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FF7E second address: D5FF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FF84 second address: D5FF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D5FF88 second address: D5FF8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D60121 second address: D60168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F4860DEC96Ch 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4860DEC96Eh 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F4860DEC966h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4860DEC96Ah 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F4860DEC966h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D60168 second address: D6016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D632FA second address: D632FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D632FE second address: D63366 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb dh, FFFFFFB1h 0x0000000d push dword ptr [ebp+122D3209h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DF3FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D2A16h], eax 0x00000033 push edx 0x00000034 pushad 0x00000035 cld 0x00000036 mov esi, dword ptr [ebp+122D1F80h] 0x0000003c popad 0x0000003d pop edx 0x0000003e jo 00007F4860DF3FC9h 0x00000044 mov dx, di 0x00000047 push 0B868C74h 0x0000004c pushad 0x0000004d jno 00007F4860DF3FCCh 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D63366 second address: D6336A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D66516 second address: D66535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007F4860DF3FD2h 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D66535 second address: D66539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D660F6 second address: D66130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCAh 0x00000007 jmp 00007F4860DF3FD3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F4860DF3FE3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F4860DF3FCFh 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D68166 second address: D6817F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F4860DEC966h 0x00000009 jc 00007F4860DEC966h 0x0000000f pop edi 0x00000010 pushad 0x00000011 jp 00007F4860DEC966h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: D6817F second address: D68185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeRDTSC instruction interceptor: First address: CBEDE6 second address: CBEDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 720270 second address: 71FBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F4860DF3FD2h 0x00000011 push dword ptr [ebp+122D0F11h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D1CB6h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D2535h], ebx 0x00000025 xor eax, eax 0x00000027 xor dword ptr [ebp+122D2535h], edx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007F4860DF3FCAh 0x00000036 mov dword ptr [ebp+122D38ACh], eax 0x0000003c cmc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ebx, dword ptr [ebp+122D37ECh] 0x00000049 mov ch, dh 0x0000004b popad 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 sub dword ptr [ebp+122D2535h], edi 0x00000056 lodsw 0x00000058 jmp 00007F4860DF3FD7h 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007F4860DF3FD4h 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D299Dh], ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jmp 00007F4860DF3FCDh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A5142 second address: 8A5151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A5151 second address: 8A5157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A5157 second address: 8A5175 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC972h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4860DEC966h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A5175 second address: 8A5179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A5179 second address: 8A517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 89809D second address: 8980BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4860DF3FD8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8980BF second address: 8980DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC977h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8980DB second address: 8980EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCBh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4737 second address: 8A476D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4860DEC966h 0x0000000d ja 00007F4860DEC966h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4860DEC977h 0x0000001c ja 00007F4860DEC96Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A476D second address: 8A4771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4771 second address: 8A4785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4785 second address: 8A4789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A07 second address: 8A4A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A0B second address: 8A4A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F4860DF3FC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A1C second address: 8A4A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A24 second address: 8A4A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F4860DF3FD6h 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A46 second address: 8A4A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A4E second address: 8A4A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8A4A54 second address: 8A4A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C763B second address: 8C7661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4860DF3FCEh 0x00000011 js 00007F4860DF3FC6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7661 second address: 8C767E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC979h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7838 second address: 8C783E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C783E second address: 8C7863 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4860DEC971h 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7863 second address: 8C7869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7869 second address: 8C7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4860DEC966h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7873 second address: 8C7877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7877 second address: 8C788F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4860DEC96Eh 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7CD8 second address: 8C7CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4860DF3FC6h 0x00000009 jne 00007F4860DF3FC6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F4860DF3FC6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C8162 second address: 8C8166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C82DB second address: 8C82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F4860DF3FCDh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F4860DF3FC6h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C82FB second address: 8C8301 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C846E second address: 8C8473 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C8EE1 second address: 8C8EEB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC966h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8CE767 second address: 8CE774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4860DF3FC6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D0BF2 second address: 8D0BF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D0BF6 second address: 8D0BFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D0BFC second address: 8D0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4860DEC96Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4860DEC96Eh 0x00000019 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D25 second address: 8D4D2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D2B second address: 8D4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4860DEC972h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D37 second address: 8D4D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D3D second address: 8D4D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D45 second address: 8D4D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FD1h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D5A second address: 8D4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC974h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D7B second address: 8D4DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jp 00007F4860DF3FC6h 0x0000000e jmp 00007F4860DF3FCBh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4860DF3FD9h 0x0000001b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 89B670 second address: 89B676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 89B676 second address: 89B6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DF3FCEh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F4860DF3FD7h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 89B6BB second address: 89B6C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7167 second address: 8D7171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4860DF3FC6h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7171 second address: 8D7183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4860DEC966h 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7183 second address: 8D71A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4860DF3FD6h 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D73CE second address: 8D73D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D73D5 second address: 8D73E3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D73E3 second address: 8D73E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D73E8 second address: 8D73F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DF3FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D78B9 second address: 8D78C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7947 second address: 8D7958 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C7CD8 second address: 8C7CF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F4860DEC966h 0x00000009 jne 00007F4860DEC966h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007F4860DEC966h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C82DB second address: 8C82FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007F4860DEC96Dh 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F4860DEC966h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8C8EE1 second address: 8C8EEB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DF3FC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8CE767 second address: 8CE774 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F4860DEC966h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D0BFC second address: 8D0C25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F4860DF3FCCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4860DF3FCEh 0x00000019 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D2B second address: 8D4D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F4860DF3FD2h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D45 second address: 8D4D5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC971h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D5A second address: 8D4D7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD4h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D4D7B second address: 8D4DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jp 00007F4860DEC966h 0x0000000e jmp 00007F4860DEC96Bh 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4860DEC979h 0x0000001b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 89B676 second address: 89B6BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DEC96Eh 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F4860DEC977h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7167 second address: 8D7171 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4860DEC966h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7171 second address: 8D7183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007F4860DF3FC6h 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7183 second address: 8D71A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4860DEC976h 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D73E8 second address: 8D73F2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D78B9 second address: 8D78C3 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7958 second address: 8D795C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D7E1A second address: 8D7E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F4860DEC966h 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D8383 second address: 8D8389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D8BE8 second address: 8D8BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D8A6D second address: 8D8A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D8A78 second address: 8D8A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D976A second address: 8D976F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D951E second address: 8D9532 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8D9532 second address: 8D9538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8DADA7 second address: 8DADC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ecx 0x0000000c jnc 00007F4860DEC966h 0x00000012 pop ecx 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8DDA86 second address: 8DDA8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E0A9B second address: 8E0B32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov edi, 325ACBEAh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DF3FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d call 00007F4860DF3FD5h 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D2A49h], eax 0x00000039 pop edi 0x0000003a pop edi 0x0000003b push 00000000h 0x0000003d push 00000000h 0x0000003f push ecx 0x00000040 call 00007F4860DF3FC8h 0x00000045 pop ecx 0x00000046 mov dword ptr [esp+04h], ecx 0x0000004a add dword ptr [esp+04h], 0000001Ch 0x00000052 inc ecx 0x00000053 push ecx 0x00000054 ret 0x00000055 pop ecx 0x00000056 ret 0x00000057 jnl 00007F4860DF3FCCh 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E0B32 second address: 8E0B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1AE1 second address: 8E1AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1AE7 second address: 8E1B6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4860DEC977h 0x00000012 nop 0x00000013 or dword ptr [ebp+1248708Eh], ebx 0x00000019 mov di, 32B0h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F4860DEC968h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4860DEC968h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 movzx ebx, si 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4860DEC96Eh 0x00000061 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E2ACE second address: 8E2AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E5A29 second address: 8E5A2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E6B15 second address: 8E6B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB171 second address: 8EB18E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC979h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB18E second address: 8EB198 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4860DF3FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB198 second address: 8EB1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D2BB7h], esi 0x00000012 mov edi, dword ptr [ebp+122D3A94h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F4860DEC968h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D37C8h] 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F4860DEC966h 0x00000045 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB1E6 second address: 8EB1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB1EC second address: 8EB1F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EC182 second address: 8EC187 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EC187 second address: 8EC18D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8ED254 second address: 8ED2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push esi 0x0000000b call 00007F4860DF3FCEh 0x00000010 mov edi, dword ptr [ebp+122D1CE9h] 0x00000016 pop ebx 0x00000017 pop edi 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 cld 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F4860DF3FC8h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 jmp 00007F4860DF3FCEh 0x00000056 push eax 0x00000057 pushad 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F04FD second address: 8F0522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4860DEC978h 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F0522 second address: 8F0528 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F0528 second address: 8F052E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F13EF second address: 8F13F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F13F5 second address: 8F13F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8FC144 second address: 8FC154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4860DF3FCAh 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8FC154 second address: 8FC163 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8FC163 second address: 8FC16E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 892D59 second address: 892D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DEC96Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 892D7D second address: 892DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4860DF3FD9h 0x00000010 jmp 00007F4860DF3FCFh 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90234B second address: 902351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 902351 second address: 902357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 902357 second address: 90235D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8DEDE6 second address: 8DEDEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E0C94 second address: 8E0C9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E0D7B second address: 8E0D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1D2D second address: 8E1D3F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F4860DEC96Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1D3F second address: 8E1DB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add bx, B8FAh 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F4860DF3FC8h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov dword ptr fs:[00000000h], esp 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F4860DF3FC8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f mov eax, dword ptr [ebp+122D173Dh] 0x00000055 mov dword ptr [ebp+122D2A2Eh], ebx 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, dword ptr [ebp+122D2A66h] 0x00000063 push eax 0x00000064 push eax 0x00000065 push edx 0x00000066 push eax 0x00000067 push edx 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1DB5 second address: 8E1DB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1DB9 second address: 8E1DBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1DBD second address: 8E1DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90EB05 second address: 90EB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F4860DF3FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4860DF3FCFh 0x00000013 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90EB2B second address: 90EB2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CB85 second address: 90CB89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CB89 second address: 90CB93 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CB93 second address: 90CB97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CCC4 second address: 90CCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DEC977h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CCE1 second address: 90CCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DF3FD8h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CCFD second address: 90CD01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D2DD second address: 90D2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D2E3 second address: 90D2E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D2E7 second address: 90D2F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4860DF3FCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D716 second address: 90D720 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DEC972h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D720 second address: 90D726 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D868 second address: 90D86C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D86C second address: 90D870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D870 second address: 90D87C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D87C second address: 90D880 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D880 second address: 90D884 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90DB79 second address: 90DB7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90DB7D second address: 90DB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90DB8B second address: 90DBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F4860DF3FD9h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F4860DF3FC6h 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90DBC4 second address: 90DBC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E953 second address: 90E968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FCEh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E968 second address: 90E973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4860DEC966h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E973 second address: 90E981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E981 second address: 90E993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4860DEC966h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E993 second address: 90E9B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F4860DF3FC6h 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 916557 second address: 91656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC96Ah 0x00000009 je 00007F4860DEC97Fh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 915F78 second address: 915F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160BD second address: 9160CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4860DEC966h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160CC second address: 9160D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160D2 second address: 9160DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4860DEC966h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160DF second address: 9160EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DF3FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160EE second address: 9160F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 916299 second address: 91629D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 91629D second address: 9162AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4860DEC966h 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9162AB second address: 9162B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9162B7 second address: 9162BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E9376 second address: 8E937C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E937C second address: 8E9383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E9427 second address: 8E942B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E942B second address: 8E943F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB418 second address: 8EB422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8ED42D second address: 8ED433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8ED433 second address: 8ED4B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push ecx 0x00000008 jmp 00007F4860DF3FD5h 0x0000000d pop ecx 0x0000000e nop 0x0000000f and ebx, dword ptr [ebp+122D2A0Bh] 0x00000015 add di, F602h 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 sub dword ptr [ebp+122D316Ch], ecx 0x0000002e mov eax, dword ptr [ebp+122D1255h] 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007F4860DF3FC8h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e movsx ebx, di 0x00000051 mov dword ptr [ebp+122D2BBEh], ecx 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+122D2C1Bh] 0x0000005f nop 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007F4860DF3FCCh 0x00000069 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8ED4B6 second address: 8ED4CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8ED4CD second address: 8ED4E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jnl 00007F4860DF3FC6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8ED4E0 second address: 8ED4E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EE4B3 second address: 8EE4B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F06D0 second address: 8F06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DEC966h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DEC96Ch 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8948DF second address: 89490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F4860DF3FC6h 0x0000000c jne 00007F4860DF3FC6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F4860DF3FC6h 0x0000001b jmp 00007F4860DF3FD2h 0x00000020 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 89490C second address: 894912 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9315AC second address: 9315CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DF3FC6h 0x0000000a jo 00007F4860DF3FC6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4860DF3FC6h 0x00000019 jns 00007F4860DF3FC6h 0x0000001f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9315CB second address: 9315CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9315CF second address: 9315E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4860DF3FC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F4860DF3FCEh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 933700 second address: 933721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4860DEC972h 0x0000000f jnc 00007F4860DEC966h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 933721 second address: 933735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F4860DF3FCDh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 933735 second address: 93374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F4860DEC96Bh 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93D22E second address: 93D234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93D234 second address: 93D238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93D238 second address: 93D23C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93D23C second address: 93D246 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93D246 second address: 93D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CDB8 second address: 93CDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4860DEC966h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CDC9 second address: 93CDCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CDCD second address: 93CDD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF24 second address: 93CF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF28 second address: 93CF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF2E second address: 93CF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF34 second address: 93CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4860DEC966h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF40 second address: 93CF46 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF46 second address: 93CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4860DEC96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93F7A4 second address: 93F7CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4860DF3FD1h 0x00000008 jmp 00007F4860DF3FCBh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DF3FD4h 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93F7CD second address: 93F7D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 88DBB2 second address: 88DBB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 88DBB6 second address: 88DC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F4860DEC966h 0x0000000f jmp 00007F4860DEC976h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F4860DEC966h 0x0000001e jmp 00007F4860DEC96Ah 0x00000023 popad 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F4860DEC96Dh 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 941076 second address: 94108A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4860DF3FCEh 0x00000008 jnp 00007F4860DF3FC6h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 94108A second address: 941090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8E1AE7 second address: 8E1B6F instructions: 0x00000000 rdtsc 0x00000002 je 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4860DF3FD7h 0x00000012 nop 0x00000013 or dword ptr [ebp+1248708Eh], ebx 0x00000019 mov di, 32B0h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F4860DF3FC8h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4860DF3FC8h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000018h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 movzx ebx, si 0x00000058 push eax 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F4860DF3FCEh 0x00000061 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB171 second address: 8EB18E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB18E second address: 8EB198 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8EB198 second address: 8EB1E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push 00000000h 0x0000000c sub dword ptr [ebp+122D2BB7h], esi 0x00000012 mov edi, dword ptr [ebp+122D3A94h] 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F4860DF3FC8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D37C8h] 0x0000003a xchg eax, esi 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jne 00007F4860DF3FC6h 0x00000045 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8F06D0 second address: 8F06EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DF3FC6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DF3FCCh 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8FC144 second address: 8FC154 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4860DEC96Ah 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8FC154 second address: 8FC163 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4860DF3FC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 892D59 second address: 892D7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007F4860DF3FCCh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 892D7D second address: 892DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4860DEC979h 0x00000010 jmp 00007F4860DEC96Fh 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90EB05 second address: 90EB2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ecx 0x00000007 jmp 00007F4860DEC96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4860DEC96Fh 0x00000013 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CCC4 second address: 90CCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90CCE1 second address: 90CCFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC978h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D2E7 second address: 90D2F1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4860DEC96Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90D716 second address: 90D720 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4860DF3FD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90DB7D second address: 90DB8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90DB8B second address: 90DBC4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F4860DEC979h 0x0000000f push eax 0x00000010 push edx 0x00000011 jg 00007F4860DEC966h 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E953 second address: 90E968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E968 second address: 90E973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F4860DF3FC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E981 second address: 90E993 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F4860DF3FC6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 90E993 second address: 90E9B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC972h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F4860DEC966h 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 916557 second address: 91656F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DF3FCAh 0x00000009 je 00007F4860DF3FDFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160BD second address: 9160CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4860DF3FC6h 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160D2 second address: 9160DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F4860DF3FC6h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9160DF second address: 9160EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 91629D second address: 9162AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4860DF3FC6h 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 8948DF second address: 89490C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F4860DEC966h 0x0000000c jne 00007F4860DEC966h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jg 00007F4860DEC966h 0x0000001b jmp 00007F4860DEC972h 0x00000020 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9315AC second address: 9315CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F4860DEC966h 0x0000000a jo 00007F4860DEC966h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F4860DEC966h 0x00000019 jns 00007F4860DEC966h 0x0000001f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9315CF second address: 9315E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jl 00007F4860DEC96Eh 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 933700 second address: 933721 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F4860DF3FD2h 0x0000000f jnc 00007F4860DF3FC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 933721 second address: 933735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007F4860DEC96Dh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 933735 second address: 93374C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F4860DF3FCBh 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CDB8 second address: 93CDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4860DF3FC6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF34 second address: 93CF40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F4860DF3FC6h 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93CF46 second address: 93CF54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F4860DF3FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 93F7A4 second address: 93F7CD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4860DEC971h 0x00000008 jmp 00007F4860DEC96Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4860DEC974h 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 88DBB6 second address: 88DC0A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F4860DF3FC6h 0x0000000f jmp 00007F4860DF3FD6h 0x00000014 popad 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jc 00007F4860DF3FC6h 0x0000001e jmp 00007F4860DF3FCAh 0x00000023 popad 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 pushad 0x00000028 popad 0x00000029 push ecx 0x0000002a pop ecx 0x0000002b popad 0x0000002c pushad 0x0000002d jmp 00007F4860DF3FCDh 0x00000032 pushad 0x00000033 popad 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 941076 second address: 94108A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4860DEC96Eh 0x00000008 jnp 00007F4860DEC966h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 957862 second address: 957882 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4860DEC970h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4860DEC966h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 957882 second address: 95788E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4860DF3FC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 95770A second address: 95770E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 959028 second address: 95902E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 95BC03 second address: 95BC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4860DEC968h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 95BC11 second address: 95BC15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97F24A second address: 97F24E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97F24E second address: 97F298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4860DF3FD3h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4860DF3FD5h 0x00000018 jmp 00007F4860DF3FD4h 0x0000001d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97F298 second address: 97F2A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4860DEC966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FB07 second address: 97FB0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FB0D second address: 97FB11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FB11 second address: 97FB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FD3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FF70 second address: 97FF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4860DEC972h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FF7E second address: 97FF84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FF84 second address: 97FF88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FF88 second address: 97FF8D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 980121 second address: 980168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F4860DEC96Ch 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4860DEC96Eh 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F4860DEC966h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4860DEC96Ah 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F4860DEC966h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 980168 second address: 98016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9832FA second address: 9832FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9832FE second address: 983366 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb dh, FFFFFFB1h 0x0000000d push dword ptr [ebp+122D3209h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DF3FC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D2A16h], eax 0x00000033 push edx 0x00000034 pushad 0x00000035 cld 0x00000036 mov esi, dword ptr [ebp+122D1F80h] 0x0000003c popad 0x0000003d pop edx 0x0000003e jo 00007F4860DF3FC9h 0x00000044 mov dx, di 0x00000047 push 0B868C74h 0x0000004c pushad 0x0000004d jno 00007F4860DF3FCCh 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 983366 second address: 98336A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 986516 second address: 986525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007F4860DF3FD2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 986525 second address: 986535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4860DEC966h 0x0000000a popad 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 986535 second address: 986539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9860F6 second address: 986130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC96Ah 0x00000007 jmp 00007F4860DEC973h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007F4860DEC983h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 jmp 00007F4860DEC96Fh 0x0000001d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 988166 second address: 98817F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007F4860DF3FC6h 0x00000009 jc 00007F4860DF3FC6h 0x0000000f pop edi 0x00000010 pushad 0x00000011 jp 00007F4860DF3FC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 98817F second address: 988185 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 957862 second address: 957882 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F4860DF3FD0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F4860DF3FC6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 957882 second address: 95788E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4860DEC966h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 95BC03 second address: 95BC11 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4860DF3FC8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97F24E second address: 97F298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4860DEC973h 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4860DEC975h 0x00000018 jmp 00007F4860DEC974h 0x0000001d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97F298 second address: 97F2A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007F4860DF3FC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FB11 second address: 97FB28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DEC973h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 97FF70 second address: 97FF7E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F4860DF3FD2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 980121 second address: 980168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F4860DF3FCCh 0x0000000c popad 0x0000000d pushad 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F4860DF3FCEh 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a jnp 00007F4860DF3FC6h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4860DF3FCAh 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a jp 00007F4860DF3FC6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 9832FE second address: 983366 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a sbb dh, FFFFFFB1h 0x0000000d push dword ptr [ebp+122D3209h] 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4860DEC968h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d add dword ptr [ebp+122D2A16h], eax 0x00000033 push edx 0x00000034 pushad 0x00000035 cld 0x00000036 mov esi, dword ptr [ebp+122D1F80h] 0x0000003c popad 0x0000003d pop edx 0x0000003e jo 00007F4860DEC969h 0x00000044 mov dx, di 0x00000047 push 0B868C74h 0x0000004c pushad 0x0000004d jno 00007F4860DEC96Ch 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 986516 second address: 986535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 jp 00007F4860DEC972h 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: FD0270 second address: FCFBA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F4860DF3FD2h 0x00000011 push dword ptr [ebp+122D0F11h] 0x00000017 cld 0x00000018 call dword ptr [ebp+122D1CB6h] 0x0000001e pushad 0x0000001f xor dword ptr [ebp+122D2535h], ebx 0x00000025 xor eax, eax 0x00000027 xor dword ptr [ebp+122D2535h], edx 0x0000002d mov edx, dword ptr [esp+28h] 0x00000031 jmp 00007F4860DF3FCAh 0x00000036 mov dword ptr [ebp+122D38ACh], eax 0x0000003c cmc 0x0000003d mov esi, 0000003Ch 0x00000042 pushad 0x00000043 mov ebx, dword ptr [ebp+122D37ECh] 0x00000049 mov ch, dh 0x0000004b popad 0x0000004c add esi, dword ptr [esp+24h] 0x00000050 sub dword ptr [ebp+122D2535h], edi 0x00000056 lodsw 0x00000058 jmp 00007F4860DF3FD7h 0x0000005d add eax, dword ptr [esp+24h] 0x00000061 jmp 00007F4860DF3FD4h 0x00000066 mov ebx, dword ptr [esp+24h] 0x0000006a mov dword ptr [ebp+122D299Dh], ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 pushad 0x00000073 jmp 00007F4860DF3FCDh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1155142 second address: 1155151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F4860DEC966h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1155151 second address: 1155157 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1155157 second address: 1155175 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4860DEC972h 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007F4860DEC966h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1155175 second address: 1155179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1155179 second address: 115517D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 114809D second address: 11480BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4860DF3FD8h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11480BF second address: 11480DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4860DEC977h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11480DB second address: 11480EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4860DF3FCBh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154737 second address: 115476D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnc 00007F4860DEC966h 0x0000000d ja 00007F4860DEC966h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4860DEC977h 0x0000001c ja 00007F4860DEC96Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 115476D second address: 1154771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154771 second address: 1154785 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC96Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154785 second address: 1154789 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A07 second address: 1154A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A0B second address: 1154A1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F4860DF3FC6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A1C second address: 1154A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A24 second address: 1154A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F4860DF3FD6h 0x00000011 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A46 second address: 1154A4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A4E second address: 1154A54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1154A54 second address: 1154A58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 117763B second address: 1177661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4860DF3FD2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F4860DF3FCEh 0x00000011 js 00007F4860DF3FC6h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1177661 second address: 117767E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4860DEC979h 0x00000009 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSpecial instruction interceptor: First address: AFFB3A instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSpecial instruction interceptor: First address: AFFBFF instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeSpecial instruction interceptor: First address: CF7A33 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 71FB3A instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 71FBFF instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 917A33 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: FCFB3A instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: FCFBFF instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 11C7A33 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeWindow / User API: threadDelayed 1346Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeWindow / User API: threadDelayed 1067Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 630Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 396Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1445Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1258Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1207Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6592Thread sleep time: -56028s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6568Thread sleep count: 1346 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6568Thread sleep time: -2693346s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6552Thread sleep count: 1067 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6552Thread sleep time: -2135067s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 6448Thread sleep count: 190 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exe TID: 3732Thread sleep count: 236 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5684Thread sleep count: 103 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5684Thread sleep time: -206103s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4500Thread sleep count: 138 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4500Thread sleep time: -276138s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 928Thread sleep count: 109 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 928Thread sleep time: -218109s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4412Thread sleep count: 111 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4412Thread sleep time: -222111s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1364Thread sleep count: 32 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1364Thread sleep count: 630 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1364Thread sleep time: -63630s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7020Thread sleep count: 334 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7020Thread sleep count: 94 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3328Thread sleep count: 128 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3328Thread sleep time: -256128s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6228Thread sleep count: 123 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6228Thread sleep time: -246123s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436Thread sleep count: 32 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436Thread sleep count: 396 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5436Thread sleep time: -39996s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7084Thread sleep count: 342 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7084Thread sleep count: 59 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3760Thread sleep count: 68 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3760Thread sleep time: -136068s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7244Thread sleep time: -54027s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7228Thread sleep count: 1445 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7228Thread sleep time: -2891445s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7200Thread sleep count: 196 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7336Thread sleep count: 229 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7224Thread sleep count: 1258 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7224Thread sleep time: -2517258s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7232Thread sleep count: 1207 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7232Thread sleep time: -2415207s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7492Thread sleep count: 46 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7492Thread sleep time: -92046s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7500Thread sleep count: 46 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7500Thread sleep time: -92046s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7460Thread sleep count: 220 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7664Thread sleep count: 240 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A29610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 00A2962Ah0_2_00A29610
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A27780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00A27790h country: Indonesian (id)0_2_00A27780
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A27750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00A27760h country: Hungarian (hu)0_2_00A27750
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A27D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00A27D50h country: Upper Sorbian (hsb)0_2_00A27D40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00647D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00647D50h country: Upper Sorbian (hsb)5_2_00647D40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00649610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0064962Ah5_2_00649610
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00647750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00647760h country: Hungarian (hu)5_2_00647750
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00647780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00647790h country: Indonesian (id)5_2_00647780
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00649610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 0064962Ah6_2_00649610
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00647750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00647760h country: Hungarian (hu)6_2_00647750
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00647780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00647790h country: Indonesian (id)6_2_00647780
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00647D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00647D50h country: Upper Sorbian (hsb)6_2_00647D40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EF7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 00EF7D50h country: Upper Sorbian (hsb)7_2_00EF7D40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EF9610 GetKeyboardLayoutList followed by cmp: cmp ecx, edx and CTI: je 00EF962Ah7_2_00EF9610
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EF7780 GetKeyboardLayoutList followed by cmp: cmp eax, 21h and CTI: jc 00EF7790h country: Indonesian (id)7_2_00EF7780
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EF7750 GetKeyboardLayoutList followed by cmp: cmp eax, 0eh and CTI: jc 00EF7760h country: Hungarian (hu)7_2_00EF7750
            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000009.00000002.2909193362.000000000115E000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6Y
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909714951.00000000012FC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}hZ7
            Source: RageMP131.exe, 00000009.00000003.1907381206.0000000000DD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 00000007.00000002.2910091238.000000000146E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&pro
            Source: MPGPH131.exe, 00000005.00000002.2909594920.00000000010FC000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
            Source: RageMP131.exe, 00000007.00000002.2910091238.000000000145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}n
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909823323.000000000133E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2907853014.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rX
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909823323.000000000133E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: RageMP131.exe, 00000007.00000002.2910091238.000000000145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000nes\AppData\Local\Temp\heidiN
            Source: RageMP131.exe, 00000007.00000002.2910091238.0000000001420000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
            Source: MPGPH131.exe, 00000005.00000002.2909692267.00000000012FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
            Source: MPGPH131.exe, 00000005.00000002.2909692267.000000000133D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&k8
            Source: RageMP131.exe, 00000009.00000003.1907381206.0000000000DD2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sX
            Source: RageMP131.exe, 00000009.00000002.2907853014.0000000000DBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&QY
            Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B35512B6
            Source: MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
            Source: MPGPH131.exe, 00000005.00000002.2909692267.00000000012FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000nes\AppData\Local\Temp\heidiv
            Source: RageMP131.exe, 00000007.00000002.2910091238.000000000146E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B35512B6
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000009.00000002.2909193362.000000000115E000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: LisectAVT_2403002A_151.exe, 00000000.00000002.2909823323.000000000137E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6
            Source: MPGPH131.exe, 00000005.00000002.2909692267.00000000012FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D9F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,0_2_009D9F50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D5B90 mov ecx, dword ptr fs:[00000030h]0_2_009D5B90
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h]0_2_009DC0A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h]0_2_009DC0A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D4100 mov eax, dword ptr fs:[00000030h]0_2_009D4100
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h]0_2_009DC0A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D5498 mov eax, dword ptr fs:[00000030h]0_2_009D5498
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h]0_2_009DC0A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D57B8 mov eax, dword ptr fs:[00000030h]0_2_009D57B8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D48E0 mov eax, dword ptr fs:[00000030h]0_2_009D48E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009DC0A0 mov eax, dword ptr fs:[00000030h]0_2_009DC0A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D4DC9 mov eax, dword ptr fs:[00000030h]0_2_009D4DC9
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F48E0 mov eax, dword ptr fs:[00000030h]5_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h]5_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h]5_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F4100 mov eax, dword ptr fs:[00000030h]5_2_005F4100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h]5_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h]5_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F5498 mov eax, dword ptr fs:[00000030h]5_2_005F5498
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F4DC9 mov eax, dword ptr fs:[00000030h]5_2_005F4DC9
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005FC0A0 mov eax, dword ptr fs:[00000030h]5_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_005F57B8 mov eax, dword ptr fs:[00000030h]5_2_005F57B8
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F5B90 mov ecx, dword ptr fs:[00000030h]6_2_005F5B90
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h]6_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h]6_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F4100 mov eax, dword ptr fs:[00000030h]6_2_005F4100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h]6_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F5498 mov eax, dword ptr fs:[00000030h]6_2_005F5498
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h]6_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F57B8 mov eax, dword ptr fs:[00000030h]6_2_005F57B8
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F48E0 mov eax, dword ptr fs:[00000030h]6_2_005F48E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005FC0A0 mov eax, dword ptr fs:[00000030h]6_2_005FC0A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005F4DC9 mov eax, dword ptr fs:[00000030h]6_2_005F4DC9
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA48E0 mov eax, dword ptr fs:[00000030h]7_2_00EA48E0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h]7_2_00EAC0A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA4100 mov eax, dword ptr fs:[00000030h]7_2_00EA4100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h]7_2_00EAC0A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h]7_2_00EAC0A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h]7_2_00EAC0A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA5498 mov eax, dword ptr fs:[00000030h]7_2_00EA5498
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA4DC9 mov eax, dword ptr fs:[00000030h]7_2_00EA4DC9
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EAC0A0 mov eax, dword ptr fs:[00000030h]7_2_00EAC0A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00EA57B8 mov eax, dword ptr fs:[00000030h]7_2_00EA57B8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D4400 cpuid 0_2_009D4400
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_00A9F26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_00A9F26A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeCode function: 0_2_009D7DC0 GetUserNameA,GetFileAttributesA,__Mtx_unlock,__Mtx_unlock,CopyFileA,RegOpenKeyExA,RegSetValueExA,GetFileAttributesA,__Mtx_unlock,__Mtx_unlock,CopyFileA,0_2_009D7DC0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_151.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_151.exe PID: 6456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5804, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2932, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7456, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_151.exe PID: 6456, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 5804, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2932, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7456, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		1
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		LSASS Memory311
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Process Injection            		Security Account Manager2
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Account Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain Credentials1
            System Owner/User Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSync233
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482488 Sample: LisectAVT_2403002A_151.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_151.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.62, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Uses schtasks.exe or at.exe to add and modify task schedules 7->46 48 Tries to evade debugger and weak emulator (self modifying code) 7->48 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        50 Antivirus detection for dropped file 12->50 52 Machine Learning detection for dropped file 12->52 54 Tries to detect virtualization through RDTSC time measurements 12->54 56 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->56 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_151.exe100%AviraTR/Crypt.TPM.Gen
            LisectAVT_2403002A_151.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%AviraTR/Crypt.TPM.Gen
            C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraTR/Crypt.TPM.Gen
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            https://ipinfo.io/0%URL Reputationsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
            https://www.maxmind.com/en/locate-my-ip-address0%Avira URL Cloudsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORT20%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllLisectAVT_2403002A_151.exe, 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_151.exe, 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllMPGPH131.exe, MPGPH131.exe, 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://t.me/RiseProSUPPORTRageMP131.exe, 00000009.00000002.2907853014.0000000000D98000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://ipinfo.io/MPGPH131.exe, RageMP131.exefalse
            • URL Reputation: safe
            		unknown
            https://t.me/RiseProSUPPORT2MPGPH131.exe, 00000006.00000002.2909798840.0000000000B18000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://www.maxmind.com/en/locate-my-ip-addressMPGPH131.exe, RageMP131.exefalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.233.132.62
            		unknownRussian Federation
            		2895FREE-NET-ASFREEnetEUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482488
            Start date and time:2024-07-25 23:41:34 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 7m 30s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:14
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:LisectAVT_2403002A_151.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report creation exceeded maximum time and may have missing disassembly code information.
            • Report size exceeded maximum capacity and may have missing disassembly code.
            • VT rate limit hit for: LisectAVT_2403002A_151.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            17:42:55API Interceptor1811859x Sleep call for process: LisectAVT_2403002A_151.exe modified
            17:43:01API Interceptor3379x Sleep call for process: MPGPH131.exe modified
            17:43:10API Interceptor1526777x Sleep call for process: RageMP131.exe modified
            22:42:28Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
            22:42:28Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
            22:42:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            22:42:38AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            193.233.132.62SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            SecuriteInfo.com.Win32.PWSX-gen.580.27252.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            SecuriteInfo.com.Win32.PWSX-gen.15960.19323.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            9iz0QM9rMM.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            4fMLTRkOfB.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            q7a5JOlhLZ.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            7jv1U7CgKF.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            file.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            SecuriteInfo.com.Win32.PWSX-gen.10022.32492.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe
            file.exeGet hashmaliciousAmadey, RisePro StealerBrowse
            • 193.233.132.62:57893/hera/amadka.exe

            Domains

            No context

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            FREE-NET-ASFREEnetEULisectAVT_2403002A_163.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.74
            LisectAVT_2403002A_185.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.74
            LisectAVT_2403002A_191.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.62
            LisectAVT_2403002A_218.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.74
            LisectAVT_2403002A_228.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.74
            LisectAVT_2403002A_30.exeGet hashmaliciousAmadeyBrowse
            • 193.233.132.56
            LisectAVT_2403002A_33.exeGet hashmaliciousAmadeyBrowse
            • 193.233.132.56
            LisectAVT_2403002A_376.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.74
            LisectAVT_2403002A_389.exeGet hashmaliciousAmadeyBrowse
            • 193.233.132.56
            LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
            • 193.233.132.67

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\MPGPH131\MPGPH131.exe

            Download File
            Process:C:\Users\user\Desktop\LisectAVT_2403002A_151.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):3193864
            Entropy (8bit):6.666134011697499
            Encrypted:false
            SSDEEP:49152:UHXp7rU8ffCFoGysq/4iNmPP/n6sfFS9ATuTse7lWxN:U5c8ffCFoTsqAiM3/n/XtUlQ
            MD5:A528D71182717541346487642BB54DD2
            SHA1:7C9B47714DFCE098237D5DF9381FCBE1D856F41D
            SHA-256:F4880369EC64EBB35BBF6231F9275D82A878E6C3CDFB75468EA1D529B895892D
            SHA-512:3C1528C17274B79E087684DF0B996EECDAA32F675C94B1626240E28C5BF4D78721E297D86DC081C62C127C6203724DE26B643E31064DA690E4396B6C9C2EEAF3
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:low
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0.......0;...........@..........................`;......T1...@...........................;.L...m...........X+.......................................................................................................... . .p..........................@....rsrc...X+.......,..................@....idata .............B..............@...qzmhftlj.`'......T'..D..............@...bkynihaq..... ;.......0.............@....taggant.0...0;.."....0.............@...........................................................................................................................................................................................................................

            C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\LisectAVT_2403002A_151.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

            Download File
            Process:C:\Users\user\Desktop\LisectAVT_2403002A_151.exe
            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
            Category:dropped
            Size (bytes):3193864
            Entropy (8bit):6.666134011697499
            Encrypted:false
            SSDEEP:49152:UHXp7rU8ffCFoGysq/4iNmPP/n6sfFS9ATuTse7lWxN:U5c8ffCFoTsqAiM3/n/XtUlQ
            MD5:A528D71182717541346487642BB54DD2
            SHA1:7C9B47714DFCE098237D5DF9381FCBE1D856F41D
            SHA-256:F4880369EC64EBB35BBF6231F9275D82A878E6C3CDFB75468EA1D529B895892D
            SHA-512:3C1528C17274B79E087684DF0B996EECDAA32F675C94B1626240E28C5BF4D78721E297D86DC081C62C127C6203724DE26B643E31064DA690E4396B6C9C2EEAF3
            Malicious:true
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:low
            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0.......0;...........@..........................`;......T1...@...........................;.L...m...........X+.......................................................................................................... . .p..........................@....rsrc...X+.......,..................@....idata .............B..............@...qzmhftlj.`'......T'..D..............@...bkynihaq..... ;.......0.............@....taggant.0...0;.."....0.............@...........................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\LisectAVT_2403002A_151.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Reputation:high, very likely benign file
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\rage131MP.tmp

            Download File
            Process:C:\Users\user\Desktop\LisectAVT_2403002A_151.exe
            File Type:ASCII text, with no line terminators
            Category:modified
            Size (bytes):13
            Entropy (8bit):2.66122625626979
            Encrypted:false
            SSDEEP:3:LEYP:X
            MD5:F289676D32BF503D94A48E99F6B621B7
            SHA1:E5DF0C0E372CDAF03440C8862C6070B41640D8C4
            SHA-256:67C98213012F8EAD0DCE0792E05A28CBC899CAA652B475415075EF73BF85A4EA
            SHA-512:8F4B99795A7842A230CC663C1A774921A3552EB2DF2FEE55B6D284185F185A2D30FFDA5E71D7DC6E2DC0B79034FA0DC808AE4F39DC5EC91B82408B40DDAE7EC7
            Malicious:false
            Preview:1721949717833

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386, for MS Windows
            Entropy (8bit):6.666134011697499
            TrID:
            • Win32 Executable (generic) a (10002005/4) 99.96%
            • Generic Win/DOS Executable (2004/3) 0.02%
            • DOS Executable Generic (2002/1) 0.02%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:LisectAVT_2403002A_151.exe
            File size:3'193'864 bytes
            MD5:a528d71182717541346487642bb54dd2
            SHA1:7c9b47714dfce098237d5df9381fcbe1d856f41d
            SHA256:f4880369ec64ebb35bbf6231f9275d82a878e6c3cdfb75468ea1d529b895892d
            SHA512:3c1528c17274b79e087684df0b996eecdaa32f675c94b1626240e28c5bf4d78721e297d86dc081c62c127c6203724de26b643e31064da690e4396b6c9c2eeaf3
            SSDEEP:49152:UHXp7rU8ffCFoGysq/4iNmPP/n6sfFS9ATuTse7lWxN:U5c8ffCFoTsqAiM3/n/XtUlQ
            TLSH:CEE57EA2F505B2CFE5CF17784167CE82695D0BB9472089C3986C74BABDB7CC115BAC28
            File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

            File Icon

            Icon Hash:c769eccc64f6e2bb

            Static PE Info

            General

            Entrypoint:0x7b3000
            Entrypoint Section:.taggant
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
            Time Stamp:0x65FE94C6 [Sat Mar 23 08:37:26 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:6
            OS Version Minor:0
            File Version Major:6
            File Version Minor:0
            Subsystem Version Major:6
            Subsystem Version Minor:0
            Import Hash:baa93d47220682c04d92f7797d9224ce

            Entrypoint Preview

            Instruction
            jmp 00007F486126435Ah
            setp byte ptr [eax]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add cl, ch
            add byte ptr [eax], ah
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x3b11b80x4cqzmhftlj
            IMAGE_DIRECTORY_ENTRY_IMPORT0x13b06d0x95.idata
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x2b58.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x13b1f80x8.idata
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            0x10000x1370000x906003ff3975b52a6263266e3466c46b9da0bFalse0.9991561823593074OpenPGP Secret Key7.983746449936841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .rsrc0x1380000x2b580x2c00b606861556e06d174e42b11831f5e5dbFalse0.22487571022727273data3.9665421773066165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .idata 0x13b0000x10000x20037f5282c0fa356b1e50be5becbf91e72False0.181640625data1.3087225765280863IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            qzmhftlj0x13c0000x2760000x27540054ad86fc5dab3d40281d9c652556627eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            bkynihaq0x3b20000x10000x200f19573cbb9dea92408db637454855fb8False0.50390625data3.9591367366889094IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            .taggant0x3b30000x30000x220042ba1ccc62328903cb8fb1ac8deb2b68False0.006548713235294118DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_ICON0x1384180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.1892116182572614
            RT_GROUP_ICON0x13a9c00x14dataRussianRussia1.15
            RT_VERSION0x1381300x2e4dataRussianRussia0.4689189189189189
            RT_MANIFEST0x13a9d80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

            Imports

            DLLImport
            kernel32.dlllstrcpy
            comctl32.dllInitCommonControls

            Exports

            NameOrdinalAddress
            Start10x466e80

            Possible Origin

            Language of compilation systemCountry where language is spokenMap
            RussianRussia
            EnglishUnited States

            Network Behavior

            Suricata IDS Alerts

            TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
            2024-07-25T23:42:32.818118+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4973158709192.168.2.4193.233.132.62
            2024-07-25T23:42:46.250615+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973440.68.123.157192.168.2.4
            2024-07-25T23:42:27.536551+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4973058709192.168.2.4193.233.132.62
            2024-07-25T23:42:35.811823+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.4193.233.132.62
            2024-07-25T23:42:35.811723+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.4193.233.132.62
            2024-07-25T23:42:30.525266+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4193.233.132.62
            2024-07-25T23:42:53.202466+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4974058709192.168.2.4193.233.132.62
            2024-07-25T23:42:45.437263+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973358709192.168.2.4193.233.132.62
            2024-07-25T23:43:26.815937+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974140.68.123.157192.168.2.4

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Jul 25, 2024 23:42:27.519278049 CEST4973058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:27.524693966 CEST5870949730193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:27.524842024 CEST4973058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:27.536550999 CEST4973058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:27.541858912 CEST5870949730193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:30.525265932 CEST4973058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:30.530371904 CEST5870949730193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:32.790724993 CEST4973158709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:32.791390896 CEST4973258709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:32.795874119 CEST5870949731193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:32.795984030 CEST4973158709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:32.796241045 CEST5870949732193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:32.796303034 CEST4973258709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:32.818118095 CEST4973258709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:32.818118095 CEST4973158709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:32.823560953 CEST5870949732193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:32.824506044 CEST5870949731193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:35.811722994 CEST4973258709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:35.811822891 CEST4973158709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:35.816945076 CEST5870949732193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:35.818476915 CEST5870949731193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:42.432673931 CEST4973358709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:42.437841892 CEST5870949733193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:42.437932014 CEST4973358709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:42.444668055 CEST4973358709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:42.449462891 CEST5870949733193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:45.437263012 CEST4973358709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:45.498663902 CEST5870949733193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:48.905076027 CEST5870949730193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:48.905220985 CEST4973058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:50.195204973 CEST4974058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:50.200809002 CEST5870949740193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:50.200906038 CEST4974058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:50.207904100 CEST4974058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:50.213340998 CEST5870949740193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:53.202466011 CEST4974058709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:53.207403898 CEST5870949740193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:54.182534933 CEST5870949732193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:54.182650089 CEST4973258709192.168.2.4193.233.132.62
            Jul 25, 2024 23:42:54.183665991 CEST5870949731193.233.132.62192.168.2.4
            Jul 25, 2024 23:42:54.183854103 CEST4973158709192.168.2.4193.233.132.62
            Jul 25, 2024 23:43:03.839595079 CEST5870949733193.233.132.62192.168.2.4
            Jul 25, 2024 23:43:03.839826107 CEST4973358709192.168.2.4193.233.132.62
            Jul 25, 2024 23:43:11.585432053 CEST5870949740193.233.132.62192.168.2.4
            Jul 25, 2024 23:43:11.585582018 CEST4974058709192.168.2.4193.233.132.62

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:17:42:23
            Start date:25/07/2024
            Path:C:\Users\user\Desktop\LisectAVT_2403002A_151.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_151.exe"
            Imagebase:0x9c0000
            File size:3'193'864 bytes
            MD5 hash:A528D71182717541346487642BB54DD2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1655205420.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            General

            Target ID:1
            Start time:17:42:26
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Imagebase:0xcc0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:17:42:26
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:17:42:26
            Start date:25/07/2024
            Path:C:\Windows\SysWOW64\schtasks.exe
            Wow64 process (32bit):true
            Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Imagebase:0xcc0000
            File size:187'904 bytes
            MD5 hash:48C2FE20575769DE916F48EF0676A965
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:17:42:26
            Start date:25/07/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff7699e0000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:5
            Start time:17:42:28
            Start date:25/07/2024
            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
            Wow64 process (32bit):true
            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
            Imagebase:0x5e0000
            File size:3'193'864 bytes
            MD5 hash:A528D71182717541346487642BB54DD2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1713791639.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            Reputation:low
            Has exited:false

            General

            Target ID:6
            Start time:17:42:28
            Start date:25/07/2024
            Path:C:\ProgramData\MPGPH131\MPGPH131.exe
            Wow64 process (32bit):true
            Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
            Imagebase:0x5e0000
            File size:3'193'864 bytes
            MD5 hash:A528D71182717541346487642BB54DD2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1715659153.0000000004320000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            General

            Target ID:7
            Start time:17:42:38
            Start date:25/07/2024
            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Imagebase:0xe90000
            File size:3'193'864 bytes
            MD5 hash:A528D71182717541346487642BB54DD2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.1808878932.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            Antivirus matches:
            • Detection: 100%, Avira
            • Detection: 100%, Joe Sandbox ML
            Reputation:low
            Has exited:false

            General

            Target ID:9
            Start time:17:42:47
            Start date:25/07/2024
            Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Imagebase:0xe90000
            File size:3'193'864 bytes
            MD5 hash:A528D71182717541346487642BB54DD2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.1894436988.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
            • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.2908237269.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
            Reputation:low
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:4.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:40.5%
              Total number of Nodes:893
              Total number of Limit Nodes:115
              execution_graph 33363 9d5498 GetPEB GetPEB GetPEB GetPEB GetPEB 33474 9c5f90 6 API calls std::ios_base::_Ios_base_dtor 32838 9ca090 32839 a9f290 std::_Facet_Register 2 API calls 32838->32839 32840 9ca0c8 32839->32840 32841 9c2ae0 2 API calls 32840->32841 32842 9ca10b 32841->32842 32843 aa5362 RtlAllocateHeap 32842->32843 32844 9ca157 32843->32844 32846 aa9136 4 API calls 32844->32846 32848 9ca1c1 32844->32848 32845 9ca1ea std::ios_base::_Ios_base_dtor 32847 9ca16a 32846->32847 32849 aa4eeb 2 API calls 32847->32849 32848->32845 32851 aa47b0 RtlAllocateHeap 32848->32851 32850 9ca170 32849->32850 32852 aa9136 4 API calls 32850->32852 32853 9ca20c 32851->32853 32854 9ca17c 32852->32854 32855 a9f290 std::_Facet_Register 2 API calls 32853->32855 32857 a2cf60 2 API calls 32854->32857 32859 9ca18b 32854->32859 32856 9ca248 32855->32856 32858 9c2ae0 2 API calls 32856->32858 32857->32859 32862 9ca28b 32858->32862 32860 aadbdf __fread_nolock 4 API calls 32859->32860 32861 9ca1bb 32860->32861 32864 aa8be8 5 API calls 32861->32864 32863 aa5362 RtlAllocateHeap 32862->32863 32865 9ca2d7 32863->32865 32864->32848 32870 9ca34e 32865->32870 32892 aa9136 32865->32892 32867 9ca377 std::ios_base::_Ios_base_dtor 32870->32867 32871 aa47b0 RtlAllocateHeap 32870->32871 32875 9ca399 32871->32875 32873 aa9136 4 API calls 32874 9ca2fc 32873->32874 32879 9ca318 32874->32879 32904 a2cf60 32874->32904 32877 aa5362 RtlAllocateHeap 32875->32877 32878 9ca3d8 32877->32878 32882 aa9136 4 API calls 32878->32882 32885 9ca3f9 32878->32885 32909 aadbdf 32879->32909 32880 9ca423 std::ios_base::_Ios_base_dtor 32884 9ca3eb 32882->32884 32887 aa4eeb 2 API calls 32884->32887 32885->32880 32888 aa47b0 RtlAllocateHeap 32885->32888 32886 aa8be8 5 API calls 32886->32870 32889 9ca3f1 32887->32889 32890 9ca439 32888->32890 32891 aa8be8 5 API calls 32889->32891 32891->32885 32893 aa9149 ___std_exception_copy 32892->32893 32912 aa8e8d 32893->32912 32895 aa915e 32896 aa44dc ___std_exception_copy RtlAllocateHeap 32895->32896 32897 9ca2ea 32896->32897 32898 aa4eeb 32897->32898 32899 aa4efe ___std_exception_copy 32898->32899 32934 aa4801 32899->32934 32901 aa4f0a 32902 aa44dc ___std_exception_copy RtlAllocateHeap 32901->32902 32903 9ca2f0 32902->32903 32903->32873 32905 a2cfa7 32904->32905 32908 a2cf78 __fread_nolock 32904->32908 32972 a30560 32905->32972 32907 a2cfba 32907->32879 32908->32879 32989 aadbfc 32909->32989 32911 9ca348 32911->32886 32914 aa8e99 __fread_nolock 32912->32914 32913 aa8e9f 32928 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32913->32928 32914->32913 32916 aa8ee2 __fread_nolock 32914->32916 32919 aa9010 32916->32919 32918 aa8eba 32918->32895 32920 aa9023 32919->32920 32921 aa9036 32919->32921 32920->32918 32929 aa8f37 32921->32929 32923 aa90e7 32923->32918 32924 aa9059 32924->32923 32925 aa55d3 4 API calls 32924->32925 32926 aa9087 32925->32926 32927 aae17d 2 API calls 32926->32927 32927->32923 32928->32918 32930 aa8f48 32929->32930 32931 aa8fa0 32929->32931 32930->32931 32933 aae13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 32930->32933 32931->32924 32933->32931 32935 aa480d __fread_nolock 32934->32935 32936 aa4814 32935->32936 32938 aa4835 __fread_nolock 32935->32938 32944 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32936->32944 32941 aa4910 32938->32941 32940 aa482d 32940->32901 32945 aa4942 32941->32945 32943 aa4922 32943->32940 32944->32940 32946 aa4979 32945->32946 32947 aa4951 32945->32947 32949 ab5f82 __fread_nolock RtlAllocateHeap 32946->32949 32961 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32947->32961 32950 aa4982 32949->32950 32958 aae11f 32950->32958 32953 aa4a2c 32962 aa4cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 32953->32962 32954 aa496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32954->32943 32956 aa4a43 32956->32954 32963 aa4ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32956->32963 32964 aadf37 32958->32964 32960 aa49a0 32960->32953 32960->32954 32960->32956 32961->32954 32962->32954 32963->32954 32965 aadf43 __fread_nolock 32964->32965 32966 aadf86 32965->32966 32968 aadfcc 32965->32968 32970 aadf4b 32965->32970 32971 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32966->32971 32969 aae05c __fread_nolock 2 API calls 32968->32969 32968->32970 32969->32970 32970->32960 32971->32970 32973 a306a9 32972->32973 32977 a30585 32972->32977 32987 9c2270 RtlAllocateHeap RtlAllocateHeap 32973->32987 32975 a306ae 32988 9c21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32975->32988 32978 a305e3 32977->32978 32979 a305f0 32977->32979 32982 a3059a 32977->32982 32978->32975 32978->32982 32984 a9f290 std::_Facet_Register 2 API calls 32979->32984 32985 a305aa __fread_nolock std::locale::_Init 32979->32985 32980 a9f290 std::_Facet_Register 2 API calls 32980->32985 32981 aa47b0 RtlAllocateHeap 32983 a306b8 32981->32983 32982->32980 32984->32985 32985->32981 32986 a30667 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Init 32985->32986 32986->32907 32988->32985 32991 aadc08 __fread_nolock 32989->32991 32990 aadc40 __fread_nolock 32990->32911 32991->32990 32992 aadc52 __fread_nolock 32991->32992 32995 aadc1b __fread_nolock 32991->32995 32998 aada06 32992->32998 33011 aad23f RtlAllocateHeap __dosmaperr 32995->33011 32996 aadc35 33012 aa47a0 RtlAllocateHeap ___std_exception_copy 32996->33012 32999 aada35 32998->32999 33001 aada18 __fread_nolock 32998->33001 32999->32990 33000 aada25 33072 aad23f RtlAllocateHeap __dosmaperr 33000->33072 33001->32999 33001->33000 33005 aada76 __fread_nolock 33001->33005 33003 aada2a 33073 aa47a0 RtlAllocateHeap ___std_exception_copy 33003->33073 33005->32999 33007 ab5f82 __fread_nolock RtlAllocateHeap 33005->33007 33009 aadba1 __fread_nolock 33005->33009 33013 ab4623 33005->33013 33074 aa8a2b RtlAllocateHeap __fread_nolock __dosmaperr std::locale::_Init ___std_exception_copy 33005->33074 33007->33005 33075 aad23f RtlAllocateHeap __dosmaperr 33009->33075 33011->32996 33012->32990 33014 ab464d 33013->33014 33015 ab4635 33013->33015 33017 ab498f 33014->33017 33026 ab4690 33014->33026 33076 aad22c RtlAllocateHeap __dosmaperr 33015->33076 33095 aad22c RtlAllocateHeap __dosmaperr 33017->33095 33018 ab463a 33077 aad23f RtlAllocateHeap __dosmaperr 33018->33077 33021 ab4994 33096 aad23f RtlAllocateHeap __dosmaperr 33021->33096 33022 ab4642 33022->33005 33023 ab469b 33078 aad22c RtlAllocateHeap __dosmaperr 33023->33078 33026->33022 33026->33023 33029 ab46cb 33026->33029 33027 ab46a0 33079 aad23f RtlAllocateHeap __dosmaperr 33027->33079 33028 ab46a8 33097 aa47a0 RtlAllocateHeap ___std_exception_copy 33028->33097 33032 ab46e4 33029->33032 33033 ab471f 33029->33033 33034 ab46f1 33029->33034 33032->33034 33041 ab470d 33032->33041 33083 ab6e2d RtlAllocateHeap RtlAllocateHeap __dosmaperr __Getctype std::_Facet_Register 33033->33083 33080 aad22c RtlAllocateHeap __dosmaperr 33034->33080 33036 ab46f6 33081 aad23f RtlAllocateHeap __dosmaperr 33036->33081 33038 ab4730 33084 ab6db3 RtlAllocateHeap __dosmaperr 33038->33084 33040 ac0d44 __fread_nolock RtlAllocateHeap 33057 ab486b 33040->33057 33041->33040 33043 ab46fd 33082 aa47a0 RtlAllocateHeap ___std_exception_copy 33043->33082 33044 ab4739 33085 ab6db3 RtlAllocateHeap __dosmaperr 33044->33085 33047 ab48e3 ReadFile 33049 ab48fb 33047->33049 33050 ab4957 33047->33050 33048 ab4740 33051 ab474a 33048->33051 33052 ab4765 33048->33052 33049->33050 33053 ab48d4 33049->33053 33058 ab48b5 33050->33058 33059 ab4964 33050->33059 33086 aad23f RtlAllocateHeap __dosmaperr 33051->33086 33088 aae13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 33052->33088 33063 ab4920 33053->33063 33064 ab4937 33053->33064 33071 ab4708 __fread_nolock 33053->33071 33057->33047 33061 ab489b 33057->33061 33058->33071 33089 aad1e5 RtlAllocateHeap __dosmaperr 33058->33089 33093 aad23f RtlAllocateHeap __dosmaperr 33059->33093 33060 ab474f 33087 aad22c RtlAllocateHeap __dosmaperr 33060->33087 33061->33053 33061->33058 33091 ab4335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 33063->33091 33064->33071 33092 ab417b SetFilePointerEx RtlAllocateHeap __fread_nolock 33064->33092 33066 ab4969 33094 aad22c RtlAllocateHeap __dosmaperr 33066->33094 33090 ab6db3 RtlAllocateHeap __dosmaperr 33071->33090 33072->33003 33073->32999 33074->33005 33075->33003 33076->33018 33077->33022 33078->33027 33079->33028 33080->33036 33081->33043 33082->33071 33083->33038 33084->33044 33085->33048 33086->33060 33087->33071 33088->33041 33089->33071 33090->33022 33091->33071 33092->33071 33093->33066 33094->33071 33095->33021 33096->33028 33097->33022 33098 9ca690 33099 a9e812 GetSystemTimePreciseAsFileTime 33098->33099 33100 9ca6a2 33099->33100 33101 9ca6fe 33100->33101 33102 9ca6a9 33100->33102 33112 a9e4bb 6 API calls std::locale::_Setgloballocale 33101->33112 33106 9ca6c9 __Mtx_unlock 33102->33106 33108 9ca6bd GetFileAttributesA 33102->33108 33108->33106 33368 9d4490 RegOpenKeyExA RegOpenKeyExA RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor 33444 9d6689 9 API calls 4 library calls 33371 9df880 Sleep RtlAllocateHeap RtlAllocateHeap 33373 9cd892 20 API calls __fread_nolock 33476 9d57b8 GetPEB GetPEB 33113 9cb6a0 33124 9cb6fe __Getctype 33113->33124 33114 9cb80c std::ios_base::_Ios_base_dtor 33115 9cb7e1 33115->33114 33116 aa47b0 RtlAllocateHeap 33115->33116 33119 9cb82c 33116->33119 33117 9cb7d8 33168 aad7d6 RtlAllocateHeap ___std_exception_destroy 33117->33168 33119->33119 33120 9c2ae0 2 API calls 33119->33120 33121 9cb8d9 RegOpenKeyExA 33120->33121 33126 9cb954 RegQueryValueExA 33121->33126 33129 9cb9dc 33121->33129 33122 9cb7d2 33167 aad7d6 RtlAllocateHeap ___std_exception_destroy 33122->33167 33124->33115 33124->33117 33124->33122 33124->33124 33166 a2a350 2 API calls 4 library calls 33124->33166 33126->33129 33130 9cb9b3 33126->33130 33129->33129 33131 9c2ae0 2 API calls 33129->33131 33169 a2a350 2 API calls 4 library calls 33130->33169 33132 9cba59 __fread_nolock 33131->33132 33134 9cba6d GetCurrentHwProfileA 33132->33134 33135 9cbaac 33134->33135 33136 9cba81 33134->33136 33137 9cbab4 SetupDiGetClassDevsA 33135->33137 33170 a2a350 2 API calls 4 library calls 33136->33170 33138 9cbb0d 33137->33138 33142 9cbadb 33137->33142 33171 9cb1a0 9 API calls ___std_exception_copy 33138->33171 33141 9cbb1b 33141->33142 33143 9cbb5e 33142->33143 33144 9cc141 33142->33144 33147 a320e0 2 API calls 33143->33147 33175 9c2270 RtlAllocateHeap RtlAllocateHeap 33144->33175 33146 9cc146 33148 aa47b0 RtlAllocateHeap 33146->33148 33149 9cbb89 33147->33149 33165 9cc065 std::ios_base::_Ios_base_dtor 33148->33165 33150 9cbbbc std::locale::_Init 33149->33150 33172 a306c0 2 API calls 4 library calls 33149->33172 33154 a2a480 2 API calls 33150->33154 33151 aa47b0 RtlAllocateHeap 33153 9cc150 33151->33153 33155 9cbc62 33154->33155 33173 a31ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::locale::_Init std::_Facet_Register 33155->33173 33157 9cbcb5 33158 a2a480 2 API calls 33157->33158 33159 9cbcc8 33158->33159 33174 a31ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::locale::_Init std::_Facet_Register 33159->33174 33161 9cbd2c std::ios_base::_Ios_base_dtor 33161->33146 33162 9cbf0a std::ios_base::_Ios_base_dtor std::locale::_Init 33161->33162 33162->33162 33163 9c2ae0 2 API calls 33162->33163 33163->33165 33164 9cc124 std::ios_base::_Ios_base_dtor 33165->33151 33165->33164 33166->33122 33167->33117 33168->33115 33169->33129 33170->33135 33171->33141 33172->33150 33173->33157 33174->33161 33176 9de0a0 WSAStartup 33177 9de0d8 33176->33177 33178 9de1a7 33176->33178 33177->33178 33179 9de175 socket 33177->33179 33179->33178 33180 9de18b connect 33179->33180 33180->33178 33181 9de19d closesocket 33180->33181 33181->33178 33181->33179 33377 9dc0a0 14 API calls std::_Facet_Register 33451 9d3aa0 18 API calls 2 library calls 33420 9d4dc9 11 API calls 33182 9d7dc0 33183 9d7df8 33182->33183 33184 9d9db7 33183->33184 33185 9d7e30 33183->33185 33355 9c2270 RtlAllocateHeap RtlAllocateHeap 33184->33355 33187 a320e0 2 API calls 33185->33187 33193 9d7e5c 33187->33193 33188 9d9dbc 33356 9c2270 RtlAllocateHeap RtlAllocateHeap 33188->33356 33190 9d9dc1 33357 9c2270 RtlAllocateHeap RtlAllocateHeap 33190->33357 33192 9d9dc6 33358 a9e4bb 6 API calls std::locale::_Setgloballocale 33192->33358 33193->33188 33193->33193 33196 9d7eab 33193->33196 33195 9d9dcc 33359 9c2270 RtlAllocateHeap RtlAllocateHeap 33195->33359 33198 a320e0 2 API calls 33196->33198 33203 9d7ed7 33198->33203 33199 9d9dd1 33200 aa47b0 RtlAllocateHeap 33199->33200 33201 9d9dd6 33200->33201 33202 aa47b0 RtlAllocateHeap 33201->33202 33204 9d9ddb 33202->33204 33203->33190 33203->33203 33206 9d7f23 33203->33206 33205 aa47b0 RtlAllocateHeap 33204->33205 33207 9d9de0 33205->33207 33209 a320e0 2 API calls 33206->33209 33360 a9e4bb 6 API calls std::locale::_Setgloballocale 33207->33360 33216 9d7f4f __fread_nolock 33209->33216 33210 9d9de6 33211 aa47b0 RtlAllocateHeap 33210->33211 33212 9d9deb 33211->33212 33361 9c2270 RtlAllocateHeap RtlAllocateHeap 33212->33361 33214 9d9df0 33215 aa47b0 RtlAllocateHeap 33214->33215 33217 9d9e09 33215->33217 33219 9c2ae0 2 API calls 33216->33219 33362 9c2270 RtlAllocateHeap RtlAllocateHeap 33217->33362 33221 9d7fcc __fread_nolock 33219->33221 33220 9d9e0e 33222 aa47b0 RtlAllocateHeap 33220->33222 33223 9d7ff4 GetUserNameA 33221->33223 33299 9d9c30 33222->33299 33227 9d8028 33223->33227 33224 aa47b0 RtlAllocateHeap 33302 9d9c5d std::ios_base::_Ios_base_dtor 33224->33302 33225 aa47b0 RtlAllocateHeap 33244 9d9c97 std::ios_base::_Ios_base_dtor 33225->33244 33226 aa47b0 RtlAllocateHeap 33232 9d9e22 33226->33232 33228 9c2ae0 2 API calls 33227->33228 33234 9d85ae std::ios_base::_Ios_base_dtor 33227->33234 33229 9d808b 33228->33229 33230 a2a480 2 API calls 33229->33230 33231 9d80a8 33230->33231 33235 9d80d1 std::locale::_Init 33231->33235 33347 a306c0 2 API calls 4 library calls 33231->33347 33237 9c2ae0 2 API calls 33234->33237 33346 9d987f std::ios_base::_Ios_base_dtor 33234->33346 33236 a9e812 GetSystemTimePreciseAsFileTime 33235->33236 33240 9d8135 33236->33240 33238 9d8676 33237->33238 33241 a2a480 2 API calls 33238->33241 33239 9c2ae0 2 API calls 33249 9d99c6 33239->33249 33240->33192 33243 9d8140 33240->33243 33245 9d8693 33241->33245 33242 9d9d9c std::ios_base::_Ios_base_dtor 33247 9d815b GetFileAttributesA 33243->33247 33252 9d8167 __Mtx_unlock 33243->33252 33244->33226 33244->33242 33246 9d86bc std::locale::_Init 33245->33246 33349 a306c0 2 API calls 4 library calls 33245->33349 33251 a9e812 GetSystemTimePreciseAsFileTime 33246->33251 33247->33252 33249->33217 33250 9d9a3e 33249->33250 33254 a320e0 2 API calls 33250->33254 33253 9d8721 33251->33253 33252->33195 33258 9d81fa 33252->33258 33287 9d8573 std::ios_base::_Ios_base_dtor 33252->33287 33253->33207 33255 9d872c 33253->33255 33256 9d9a6a 33254->33256 33262 9d874f GetFileAttributesA 33255->33262 33264 9d875b __Mtx_unlock 33255->33264 33257 a2a480 2 API calls 33256->33257 33259 9d9a7d 33257->33259 33261 a320e0 2 API calls 33258->33261 33260 a2a4f0 2 API calls 33259->33260 33267 9d9adb std::ios_base::_Ios_base_dtor 33260->33267 33263 9d8222 33261->33263 33262->33264 33273 9d8775 __Mtx_unlock 33262->33273 33265 9d824f std::locale::_Init 33263->33265 33348 a306c0 2 API calls 4 library calls 33263->33348 33268 9c2ae0 2 API calls 33264->33268 33264->33273 33271 a2a480 2 API calls 33265->33271 33267->33220 33269 9d9b4d std::ios_base::_Ios_base_dtor 33267->33269 33268->33273 33270 aa5362 RtlAllocateHeap 33269->33270 33272 9d9b91 33270->33272 33276 9d830a std::ios_base::_Ios_base_dtor 33271->33276 33274 9d40e0 GetSystemTimePreciseAsFileTime 33272->33274 33272->33302 33273->33210 33278 9d87cd std::ios_base::_Ios_base_dtor 33273->33278 33282 9d9ba3 33274->33282 33275 9d83e2 std::ios_base::_Ios_base_dtor 33277 a2a770 2 API calls 33275->33277 33276->33199 33276->33275 33279 9d840c 33277->33279 33278->33212 33278->33278 33281 9d88be 33278->33281 33278->33346 33280 9ca600 5 API calls 33279->33280 33290 9d8411 33280->33290 33284 a320e0 2 API calls 33281->33284 33285 9d9bf3 33282->33285 33288 9c2ae0 2 API calls 33282->33288 33283 9d8545 33283->33201 33283->33287 33286 9d88e6 33284->33286 33293 aad168 4 API calls 33285->33293 33291 9d890d std::locale::_Init 33286->33291 33350 a306c0 2 API calls 4 library calls 33286->33350 33287->33204 33287->33234 33288->33285 33289 9d843d CopyFileA 33289->33283 33292 9d844f RegOpenKeyExA 33289->33292 33290->33283 33290->33289 33300 a2a480 2 API calls 33291->33300 33292->33283 33297 9d8509 RegSetValueExA 33292->33297 33296 9d9c2a 33293->33296 33298 aa8be8 5 API calls 33296->33298 33297->33283 33298->33299 33299->33224 33299->33302 33304 9d89a7 std::ios_base::_Ios_base_dtor 33300->33304 33302->33225 33302->33244 33303 9d8a8d std::ios_base::_Ios_base_dtor 33305 a2a770 2 API calls 33303->33305 33304->33214 33304->33303 33306 9d8aba 33305->33306 33307 9ca600 5 API calls 33306->33307 33308 9d8abf 33307->33308 33309 9d8af4 CopyFileA 33308->33309 33308->33346 33310 9d8b06 33309->33310 33309->33346 33311 9c2ae0 2 API calls 33310->33311 33312 9d8c04 33311->33312 33313 a2e530 2 API calls 33312->33313 33314 9d8c90 33313->33314 33315 a2a480 2 API calls 33314->33315 33316 9d8ca2 33315->33316 33317 9d8d43 std::locale::_Init 33316->33317 33351 a306c0 2 API calls 4 library calls 33316->33351 33319 a2a480 2 API calls 33317->33319 33320 9d8e17 33319->33320 33321 9d8eb2 std::locale::_Init 33320->33321 33352 a306c0 2 API calls 4 library calls 33320->33352 33323 a2a480 2 API calls 33321->33323 33325 9d8f88 std::ios_base::_Ios_base_dtor 33323->33325 33324 a2a770 2 API calls 33326 9d91fc 33324->33326 33325->33324 33327 9d5b90 9 API calls 33326->33327 33328 9d9203 33327->33328 33329 9c2ae0 2 API calls 33328->33329 33330 9d9313 33329->33330 33331 a2e530 2 API calls 33330->33331 33332 9d9395 33331->33332 33333 a2a480 2 API calls 33332->33333 33334 9d93a7 33333->33334 33335 9d941e std::locale::_Init 33334->33335 33353 a306c0 2 API calls 4 library calls 33334->33353 33337 a2a480 2 API calls 33335->33337 33338 9d94bc 33337->33338 33339 9d9557 std::locale::_Init 33338->33339 33354 a306c0 2 API calls 4 library calls 33338->33354 33341 a2a480 2 API calls 33339->33341 33343 9d9627 std::ios_base::_Ios_base_dtor 33341->33343 33342 a2a770 2 API calls 33344 9d9878 33342->33344 33343->33342 33345 9d5b90 9 API calls 33344->33345 33345->33346 33346->33239 33346->33244 33347->33235 33348->33265 33349->33246 33350->33291 33351->33317 33352->33321 33353->33335 33354->33339 33489 9d03fa 12 API calls 2 library calls 33386 9d48e0 16 API calls 33392 9c1000 RtlAllocateHeap RtlAllocateHeap RtlAllocateHeap std::_Facet_Register 33430 9d4100 GetPEB RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor __fread_nolock 33397 9cc430 22 API calls __fread_nolock 33498 9caf30 4 API calls 2 library calls 33499 9c972e 9 API calls std::ios_base::_Ios_base_dtor 32282 9d9259 32283 9d9260 32282->32283 32283->32283 32333 9c2ae0 32283->32333 32285 9d9313 32349 a2e530 32285->32349 32287 9d9395 32353 a2a480 32287->32353 32289 9d93a7 32290 9d941e std::locale::_Init 32289->32290 32550 a306c0 2 API calls 4 library calls 32289->32550 32292 a2a480 2 API calls 32290->32292 32293 9d94bc 32292->32293 32294 9d9557 std::locale::_Init 32293->32294 32551 a306c0 2 API calls 4 library calls 32293->32551 32296 a2a480 2 API calls 32294->32296 32298 9d9627 std::ios_base::_Ios_base_dtor 32296->32298 32358 a2a770 32298->32358 32299 9d9878 32375 9d5b90 32299->32375 32301 9d987f std::ios_base::_Ios_base_dtor 32302 9c2ae0 2 API calls 32301->32302 32303 9d9c97 std::ios_base::_Ios_base_dtor 32301->32303 32306 9d99c6 32302->32306 32304 9d9d9c std::ios_base::_Ios_base_dtor 32303->32304 32305 aa47b0 RtlAllocateHeap 32303->32305 32307 9d9e22 32305->32307 32308 9d9a3e 32306->32308 32309 9d9e09 32306->32309 32512 a320e0 32308->32512 32552 9c2270 RtlAllocateHeap RtlAllocateHeap 32309->32552 32312 9d9e0e 32553 aa47b0 32312->32553 32313 9d9a6a 32315 a2a480 2 API calls 32313->32315 32316 9d9a7d 32315->32316 32527 a2a4f0 32316->32527 32317 aa47b0 RtlAllocateHeap 32332 9d9c5d std::ios_base::_Ios_base_dtor 32317->32332 32319 aa47b0 RtlAllocateHeap 32319->32303 32320 9d9adb std::ios_base::_Ios_base_dtor 32320->32312 32321 9d9b4d std::ios_base::_Ios_base_dtor 32320->32321 32532 aa5362 32321->32532 32325 9d9ba3 32326 9d9bf3 32325->32326 32327 9c2ae0 2 API calls 32325->32327 32538 aad168 32326->32538 32327->32326 32332->32303 32332->32319 32334 9c2ba5 32333->32334 32340 9c2af6 32333->32340 32564 9c2270 RtlAllocateHeap RtlAllocateHeap 32334->32564 32335 9c2b02 std::locale::_Init 32335->32285 32337 9c2b2a 32556 a9f290 32337->32556 32338 9c2baa 32565 9c21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32338->32565 32340->32335 32340->32337 32343 9c2b6e 32340->32343 32344 9c2b65 32340->32344 32342 9c2b3d 32345 aa47b0 RtlAllocateHeap 32342->32345 32348 9c2b46 std::locale::_Init 32342->32348 32346 a9f290 std::_Facet_Register 2 API calls 32343->32346 32343->32348 32344->32337 32344->32338 32347 9c2bb4 32345->32347 32346->32348 32348->32285 32350 a2e546 32349->32350 32350->32350 32352 a2e564 std::locale::_Init 32350->32352 32574 a3a520 32350->32574 32352->32287 32354 a2a490 32353->32354 32354->32354 32357 a2a4a7 std::locale::_Init 32354->32357 32600 a306c0 2 API calls 4 library calls 32354->32600 32356 a2a4e2 32356->32289 32357->32289 32359 a2a799 32358->32359 32360 a2a851 32359->32360 32366 a2a7aa 32359->32366 32601 9c2270 RtlAllocateHeap RtlAllocateHeap 32360->32601 32361 a2a7b6 std::locale::_Init 32361->32299 32363 a2a7db 32369 a9f290 std::_Facet_Register 2 API calls 32363->32369 32364 a2a856 32602 9c21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32364->32602 32366->32361 32366->32363 32367 a2a814 32366->32367 32368 a2a81d 32366->32368 32367->32363 32367->32364 32373 a9f290 std::_Facet_Register 2 API calls 32368->32373 32374 a2a7f5 std::locale::_Init 32368->32374 32370 a2a7ee 32369->32370 32371 aa47b0 RtlAllocateHeap 32370->32371 32370->32374 32372 a2a860 32371->32372 32372->32299 32373->32374 32374->32299 32377 9d5bca __fread_nolock 32375->32377 32376 9d5ca6 CreateProcessA 32378 9d5cc9 32376->32378 32382 9d5cf0 32376->32382 32377->32376 32380 9d5cd5 GetPEB 32378->32380 32379 9d5da1 std::ios_base::_Ios_base_dtor 32379->32301 32380->32382 32381 aa47b0 RtlAllocateHeap 32383 9d5dc1 __fread_nolock 32381->32383 32382->32379 32382->32381 32384 9c2ae0 2 API calls 32383->32384 32388 9d5e3c 32384->32388 32385 9d5f93 std::ios_base::_Ios_base_dtor 32385->32301 32386 aa47b0 RtlAllocateHeap 32387 9d5fab 32386->32387 32387->32387 32389 9d7d25 32387->32389 32390 9d6030 32387->32390 32388->32385 32388->32386 32623 9c2270 RtlAllocateHeap RtlAllocateHeap 32389->32623 32393 a320e0 2 API calls 32390->32393 32392 9d7d2a 32624 9c2270 RtlAllocateHeap RtlAllocateHeap 32392->32624 32398 9d6059 32393->32398 32395 9d7d2f 32625 9c2270 RtlAllocateHeap RtlAllocateHeap 32395->32625 32397 9d7d34 32626 a9e4bb 6 API calls std::locale::_Setgloballocale 32397->32626 32398->32392 32398->32398 32401 9d60b3 32398->32401 32400 9d7d3a 32627 9c2270 RtlAllocateHeap RtlAllocateHeap 32400->32627 32403 a320e0 2 API calls 32401->32403 32409 9d60dc 32403->32409 32404 9d7d3f 32405 aa47b0 RtlAllocateHeap 32404->32405 32406 9d7d44 32405->32406 32407 aa47b0 RtlAllocateHeap 32406->32407 32408 9d7d49 32407->32408 32410 aa47b0 RtlAllocateHeap 32408->32410 32409->32395 32409->32409 32412 9d6133 32409->32412 32411 9d7d4e 32410->32411 32628 a9e4bb 6 API calls std::locale::_Setgloballocale 32411->32628 32415 a320e0 2 API calls 32412->32415 32414 9d7d54 32416 aa47b0 RtlAllocateHeap 32414->32416 32420 9d615c __fread_nolock 32415->32420 32417 9d7d59 32416->32417 32629 9c2270 RtlAllocateHeap RtlAllocateHeap 32417->32629 32419 9d7d5e 32421 aa47b0 RtlAllocateHeap 32419->32421 32423 9c2ae0 2 API calls 32420->32423 32422 9d7d81 32421->32422 32422->32301 32424 9d61dc 32423->32424 32424->32424 32425 9c2ae0 2 API calls 32424->32425 32429 9d6768 std::ios_base::_Ios_base_dtor 32424->32429 32426 9d6259 32425->32426 32427 a2a480 2 API calls 32426->32427 32428 9d6273 32427->32428 32435 9d629c std::locale::_Init 32428->32435 32603 a306c0 2 API calls 4 library calls 32428->32603 32430 9c2ae0 2 API calls 32429->32430 32474 9d7b4e std::ios_base::_Ios_base_dtor 32429->32474 32431 9d67e8 32430->32431 32433 a2a480 2 API calls 32431->32433 32434 9d6802 32433->32434 32437 9d682b std::locale::_Init 32434->32437 32617 a306c0 2 API calls 4 library calls 32434->32617 32604 a9e812 32435->32604 32440 a9e812 GetSystemTimePreciseAsFileTime 32437->32440 32441 9d687e 32440->32441 32441->32411 32446 9d6889 __Mtx_unlock 32441->32446 32442 9d62fc __Mtx_unlock 32442->32400 32443 9d63ae 32442->32443 32462 9d6730 std::ios_base::_Ios_base_dtor 32442->32462 32445 a320e0 2 API calls 32443->32445 32444 9c2ae0 2 API calls 32450 9d68cb __Mtx_unlock 32444->32450 32447 9d63d0 32445->32447 32446->32444 32446->32450 32448 9d6403 std::locale::_Init 32447->32448 32607 a306c0 2 API calls 4 library calls 32447->32607 32451 a2a480 2 API calls 32448->32451 32450->32414 32452 9d6923 std::ios_base::_Ios_base_dtor 32450->32452 32455 9d64cd std::ios_base::_Ios_base_dtor 32451->32455 32452->32417 32452->32452 32454 9d6a0d 32452->32454 32452->32474 32453 9d65ac std::ios_base::_Ios_base_dtor 32456 a2a770 2 API calls 32453->32456 32458 a320e0 2 API calls 32454->32458 32455->32404 32455->32453 32457 9d65df 32456->32457 32608 9ca600 32457->32608 32460 9d6a2f 32458->32460 32461 9d6a5c std::locale::_Init 32460->32461 32618 a306c0 2 API calls 4 library calls 32460->32618 32464 a2a480 2 API calls 32461->32464 32462->32408 32462->32429 32467 9d6b2f std::ios_base::_Ios_base_dtor 32464->32467 32465 9d65e4 32465->32406 32465->32462 32465->32465 32466 9d6c2a std::ios_base::_Ios_base_dtor 32468 a2a770 2 API calls 32466->32468 32467->32419 32467->32466 32469 9d6c60 32468->32469 32470 9ca600 5 API calls 32469->32470 32475 9d6c65 __fread_nolock 32470->32475 32471 a2a770 2 API calls 32472 9d7b49 32471->32472 32473 9ca600 5 API calls 32472->32473 32473->32474 32474->32301 32475->32475 32476 9c2ae0 2 API calls 32475->32476 32511 9d7ab9 std::ios_base::_Ios_base_dtor 32475->32511 32477 9d6de3 32476->32477 32478 a2e530 2 API calls 32477->32478 32479 9d6e65 32478->32479 32480 a2a480 2 API calls 32479->32480 32481 9d6e77 32480->32481 32482 9d6f18 std::locale::_Init 32481->32482 32619 a306c0 2 API calls 4 library calls 32481->32619 32484 a2a480 2 API calls 32482->32484 32485 9d6fec 32484->32485 32486 9d7087 std::locale::_Init 32485->32486 32620 a306c0 2 API calls 4 library calls 32485->32620 32488 a2a480 2 API calls 32486->32488 32489 9d715d std::ios_base::_Ios_base_dtor 32488->32489 32490 9c2ae0 2 API calls 32489->32490 32491 9d7402 32490->32491 32492 9d5b90 7 API calls 32491->32492 32493 9d7409 32492->32493 32494 9c2ae0 2 API calls 32493->32494 32495 9d74f3 32494->32495 32496 a2e530 2 API calls 32495->32496 32497 9d7575 32496->32497 32498 a2a480 2 API calls 32497->32498 32499 9d7587 32498->32499 32500 9d75fe std::locale::_Init 32499->32500 32621 a306c0 2 API calls 4 library calls 32499->32621 32502 a2a480 2 API calls 32500->32502 32503 9d76b9 32502->32503 32504 9d7754 std::locale::_Init 32503->32504 32622 a306c0 2 API calls 4 library calls 32503->32622 32506 a2a480 2 API calls 32504->32506 32507 9d7821 std::ios_base::_Ios_base_dtor 32506->32507 32507->32507 32508 9c2ae0 2 API calls 32507->32508 32509 9d7ab2 32508->32509 32510 9d5b90 7 API calls 32509->32510 32510->32511 32511->32471 32513 a32112 32512->32513 32516 a3213d std::locale::_Init 32512->32516 32514 a3211f 32513->32514 32517 a32162 32513->32517 32518 a3216b 32513->32518 32515 a9f290 std::_Facet_Register 2 API calls 32514->32515 32519 a32132 32515->32519 32516->32313 32517->32514 32520 a321bc 32517->32520 32518->32516 32522 a9f290 std::_Facet_Register 2 API calls 32518->32522 32519->32516 32523 aa47b0 RtlAllocateHeap 32519->32523 32638 9c21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32520->32638 32522->32516 32524 a321c6 32523->32524 32639 aad7d6 RtlAllocateHeap ___std_exception_destroy 32524->32639 32526 a321e4 std::ios_base::_Ios_base_dtor 32526->32313 32528 a2a504 32527->32528 32531 a2a514 std::locale::_Init 32528->32531 32640 a306c0 2 API calls 4 library calls 32528->32640 32530 a2a55a 32530->32320 32531->32320 32641 aa52a0 32532->32641 32534 9d9b91 32534->32332 32535 9d40e0 32534->32535 32674 a9ec6a 32535->32674 32537 9d40eb __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32537->32325 32539 aad17b ___std_exception_copy 32538->32539 32681 aacf4a 32539->32681 32541 aad190 32689 aa44dc 32541->32689 32544 aa8be8 32545 aa8bfb ___std_exception_copy 32544->32545 32699 aa8ac3 32545->32699 32547 aa8c07 32548 aa44dc ___std_exception_copy RtlAllocateHeap 32547->32548 32549 9d9c30 32548->32549 32549->32317 32549->32332 32550->32290 32551->32294 32836 aa46ec RtlAllocateHeap ___std_exception_copy 32553->32836 32555 aa47bf __Getctype 32557 a9f295 std::_Facet_Register 32556->32557 32559 a9f2af 32557->32559 32561 9c21d0 Concurrency::cancel_current_task 32557->32561 32566 aadf2c 32557->32566 32559->32342 32560 a9f2bb 32560->32560 32561->32560 32572 aa0651 RtlAllocateHeap RtlAllocateHeap ___std_exception_destroy ___std_exception_copy 32561->32572 32563 9c2213 32563->32342 32565->32342 32571 ab6e2d __Getctype std::_Facet_Register 32566->32571 32567 ab6e6b 32573 aad23f RtlAllocateHeap __dosmaperr 32567->32573 32568 ab6e56 RtlAllocateHeap 32570 ab6e69 32568->32570 32568->32571 32570->32557 32571->32567 32571->32568 32572->32563 32573->32570 32575 a3a651 32574->32575 32579 a3a545 32574->32579 32597 9c2270 RtlAllocateHeap RtlAllocateHeap 32575->32597 32577 a3a656 32598 9c21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32577->32598 32580 a3a5b1 32579->32580 32581 a3a5a4 32579->32581 32584 a3a55a 32579->32584 32585 a9f290 std::_Facet_Register 2 API calls 32580->32585 32587 a3a56a std::locale::_Init 32580->32587 32581->32577 32581->32584 32582 a9f290 std::_Facet_Register 2 API calls 32582->32587 32583 aa47b0 RtlAllocateHeap 32588 a3a660 32583->32588 32584->32582 32585->32587 32586 a3a69e std::ios_base::_Ios_base_dtor 32586->32352 32587->32583 32589 a3a619 std::ios_base::_Ios_base_dtor std::locale::_Init 32587->32589 32588->32586 32590 aa47b0 RtlAllocateHeap 32588->32590 32589->32352 32591 a3a6c2 32590->32591 32592 a3a6ff std::ios_base::_Ios_base_dtor 32591->32592 32593 aa47b0 RtlAllocateHeap 32591->32593 32592->32352 32594 a3a737 32593->32594 32599 a2fa40 RtlAllocateHeap std::ios_base::_Ios_base_dtor 32594->32599 32596 a3a74b 32596->32352 32598->32587 32599->32596 32600->32356 32602->32370 32603->32435 32630 a9e5ec 32604->32630 32606 9d62f1 32606->32397 32606->32442 32607->32448 32609 9ca610 32608->32609 32609->32609 32610 aa5362 RtlAllocateHeap 32609->32610 32611 9ca638 32610->32611 32612 aa8be8 5 API calls 32611->32612 32614 9ca645 32611->32614 32612->32614 32613 9ca674 std::ios_base::_Ios_base_dtor 32613->32465 32614->32613 32615 aa47b0 RtlAllocateHeap 32614->32615 32616 9ca68a 32615->32616 32617->32437 32618->32461 32619->32482 32620->32486 32621->32500 32622->32504 32631 a9e64e 32630->32631 32633 a9e614 _ValidateLocalCookies 32630->32633 32631->32633 32636 a9ec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 32631->32636 32633->32606 32634 a9e6a4 __Xtime_diff_to_millis2 32634->32633 32637 a9ec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 32634->32637 32636->32634 32637->32634 32638->32519 32639->32526 32640->32530 32644 aa52ac __fread_nolock 32641->32644 32642 aa52b3 32659 aad23f RtlAllocateHeap __dosmaperr 32642->32659 32644->32642 32646 aa52d3 32644->32646 32645 aa52b8 32660 aa47a0 RtlAllocateHeap ___std_exception_copy 32645->32660 32648 aa52d8 32646->32648 32649 aa52e5 32646->32649 32661 aad23f RtlAllocateHeap __dosmaperr 32648->32661 32655 ab6688 32649->32655 32652 aa52ee 32654 aa52c3 32652->32654 32662 aad23f RtlAllocateHeap __dosmaperr 32652->32662 32654->32534 32656 ab6694 __fread_nolock std::_Lockit::_Lockit 32655->32656 32663 ab672c 32656->32663 32658 ab66af 32658->32652 32659->32645 32660->32654 32661->32654 32662->32654 32667 ab674f __fread_nolock 32663->32667 32665 ab67b0 32673 ab6db3 RtlAllocateHeap __dosmaperr 32665->32673 32667->32667 32668 ab6795 __fread_nolock 32667->32668 32669 ab63f3 32667->32669 32668->32658 32672 ab6400 __Getctype std::_Facet_Register 32669->32672 32670 ab642b RtlAllocateHeap 32671 ab643e __dosmaperr 32670->32671 32670->32672 32671->32665 32672->32670 32672->32671 32673->32668 32677 a9f26a 32674->32677 32678 a9f27b GetSystemTimePreciseAsFileTime 32677->32678 32679 a9ec78 32677->32679 32678->32679 32679->32537 32682 aacf80 32681->32682 32683 aacf58 32681->32683 32682->32541 32683->32682 32684 aacf87 32683->32684 32685 aacf65 32683->32685 32696 aacea3 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap __fread_nolock 32684->32696 32695 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32685->32695 32688 aacfbf 32688->32541 32690 aa44e8 32689->32690 32691 aa44ff 32690->32691 32697 aa4587 RtlAllocateHeap ___std_exception_copy __Getctype 32690->32697 32693 9d9c2a 32691->32693 32698 aa4587 RtlAllocateHeap ___std_exception_copy __Getctype 32691->32698 32693->32544 32695->32682 32696->32688 32697->32691 32698->32693 32700 aa8acf __fread_nolock 32699->32700 32701 aa8ad9 32700->32701 32703 aa8afc __fread_nolock 32700->32703 32720 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32701->32720 32704 aa8af4 32703->32704 32706 aa8b5a 32703->32706 32704->32547 32707 aa8b8a 32706->32707 32708 aa8b67 32706->32708 32710 aa8b82 32707->32710 32721 aa55d3 32707->32721 32745 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32708->32745 32710->32704 32716 aa8bb6 32738 ab4a3f 32716->32738 32720->32704 32722 aa55ec 32721->32722 32723 aa5613 32721->32723 32722->32723 32724 ab5f82 __fread_nolock RtlAllocateHeap 32722->32724 32727 ab6ded 32723->32727 32725 aa5608 32724->32725 32747 ab538b 32725->32747 32728 ab6e04 32727->32728 32730 aa8baa 32727->32730 32728->32730 32815 ab6db3 RtlAllocateHeap __dosmaperr 32728->32815 32731 ab5f82 32730->32731 32732 ab5f8e 32731->32732 32733 ab5fa3 32731->32733 32816 aad23f RtlAllocateHeap __dosmaperr 32732->32816 32733->32716 32735 ab5f93 32817 aa47a0 RtlAllocateHeap ___std_exception_copy 32735->32817 32737 ab5f9e 32737->32716 32739 ab4a68 32738->32739 32742 aa8bbd 32738->32742 32740 ab4ab7 32739->32740 32743 ab4a8f 32739->32743 32822 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32740->32822 32742->32710 32746 ab6db3 RtlAllocateHeap __dosmaperr 32742->32746 32818 ab49ae 32743->32818 32745->32710 32746->32710 32748 ab5397 __fread_nolock 32747->32748 32749 ab53d8 32748->32749 32751 ab541e 32748->32751 32752 ab539f 32748->32752 32768 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32749->32768 32751->32752 32754 ab549c 32751->32754 32752->32723 32755 ab54c4 32754->32755 32767 ab54e7 __fread_nolock 32754->32767 32756 ab54c8 32755->32756 32758 ab5523 32755->32758 32774 aa4723 RtlAllocateHeap ___std_exception_copy __Getctype 32756->32774 32761 ab5541 32758->32761 32775 aae17d 32758->32775 32769 ab4fe1 32761->32769 32763 ab5559 32763->32767 32778 ab4bb2 RtlAllocateHeap RtlAllocateHeap std::locale::_Init std::_Locinfo::_Locinfo_dtor _ValidateLocalCookies 32763->32778 32764 ab55a0 32765 ab5609 WriteFile 32764->32765 32764->32767 32765->32767 32767->32752 32768->32752 32779 ac0d44 32769->32779 32771 ab5021 32771->32763 32771->32764 32772 ab4ff3 32772->32771 32788 aa9d10 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_dtor ___std_exception_copy 32772->32788 32774->32767 32792 aae05c 32775->32792 32777 aae196 32777->32761 32778->32767 32780 ac0d5e 32779->32780 32781 ac0d51 32779->32781 32784 ac0d6a 32780->32784 32790 aad23f RtlAllocateHeap __dosmaperr 32780->32790 32789 aad23f RtlAllocateHeap __dosmaperr 32781->32789 32783 ac0d56 32783->32772 32784->32772 32786 ac0d8b 32791 aa47a0 RtlAllocateHeap ___std_exception_copy 32786->32791 32788->32771 32789->32783 32790->32786 32791->32783 32797 aba6de 32792->32797 32794 aae06e 32795 aae08a SetFilePointerEx 32794->32795 32796 aae076 __fread_nolock 32794->32796 32795->32796 32796->32777 32798 aba6eb 32797->32798 32801 aba700 32797->32801 32810 aad22c RtlAllocateHeap __dosmaperr 32798->32810 32800 aba6f0 32811 aad23f RtlAllocateHeap __dosmaperr 32800->32811 32805 aba725 32801->32805 32812 aad22c RtlAllocateHeap __dosmaperr 32801->32812 32803 aba730 32813 aad23f RtlAllocateHeap __dosmaperr 32803->32813 32805->32794 32807 aba6f8 32807->32794 32808 aba738 32814 aa47a0 RtlAllocateHeap ___std_exception_copy 32808->32814 32810->32800 32811->32807 32812->32803 32813->32808 32814->32807 32815->32730 32816->32735 32817->32737 32819 ab49ba __fread_nolock 32818->32819 32821 ab49f9 32819->32821 32823 ab4b12 32819->32823 32821->32742 32822->32742 32824 aba6de __fread_nolock RtlAllocateHeap 32823->32824 32825 ab4b22 32824->32825 32827 ab4b5a 32825->32827 32829 aba6de __fread_nolock RtlAllocateHeap 32825->32829 32833 ab4b28 32825->32833 32828 aba6de __fread_nolock RtlAllocateHeap 32827->32828 32827->32833 32830 ab4b66 FindCloseChangeNotification 32828->32830 32831 ab4b51 32829->32831 32830->32833 32832 aba6de __fread_nolock RtlAllocateHeap 32831->32832 32832->32827 32835 aba64d RtlAllocateHeap __dosmaperr 32833->32835 32834 ab4b80 __fread_nolock 32834->32821 32835->32834 32836->32555 32837 9d8c58 9 API calls 2 library calls 33403 9c1050 RtlAllocateHeap RtlAllocateHeap 33500 9d9f50 5 API calls 4 library calls 33501 9d3f50 7 API calls 2 library calls 33438 9c2160 RtlAllocateHeap std::ios_base::_Ios_base_dtor ___std_exception_destroy

              Executed Functions

              Function 009D7DC0 Relevance: 26.8, APIs: 11, Strings: 3, Instructions: 2344registryfileCOMMON
              Download Yara Rule
              APIs
              • GetUserNameA.ADVAPI32(?,00000104,?,?,?), ref: 009D8006
              • GetFileAttributesA.KERNELBASE(?,00000001,?,?,?,?), ref: 009D815D
              • __Mtx_unlock.LIBCPMT ref: 009D8186
              • __Mtx_unlock.LIBCPMT ref: 009D8195
              • CopyFileA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000005D), ref: 009D8442
              • RegOpenKeyExA.KERNELBASE(80000001,E0F5FDC2,00000000,00020006,00000000), ref: 009D8500
              • RegSetValueExA.KERNELBASE(00000000,?,00000000,00000001,?,?), ref: 009D8537
              • GetFileAttributesA.KERNELBASE(?,00000001,?,?,?,?,?,?), ref: 009D8751
              • __Mtx_unlock.LIBCPMT ref: 009D877A
                • Part of subcall function 00A306C0: Concurrency::cancel_current_task.LIBCPMT ref: 00A30807
              • __Mtx_unlock.LIBCPMT ref: 009D87D7
              • CopyFileA.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 009D8AF9
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: FileMtx_unlock$AttributesCopy$Concurrency::cancel_current_taskNameOpenUserValue
              • String ID: +$131$\
              • API String ID: 816876003-78135455
              • Opcode ID: 034e1c1973b88fb30e6f4138663eb80e1fda18ba8439b9b3641ec5e54a3f97f4
              • Instruction ID: db646e14ae80bc6770e6edc364ec0d4cb071ec237277d6f6c1e6725441e54125
              • Opcode Fuzzy Hash: 034e1c1973b88fb30e6f4138663eb80e1fda18ba8439b9b3641ec5e54a3f97f4
              • Instruction Fuzzy Hash: 8C237D709002598FDB28DF68CD94BEEBBB5AF45304F1481EEE409AB382D7719A85CF51
              Function 009D5B90 Relevance: 18.2, APIs: 5, Strings: 4, Instructions: 2429processCOMMON
              Download Yara Rule
              APIs
              • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,?,?,?,?), ref: 009D5CBF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: CreateProcess
              • String ID: *$131$D$\
              • API String ID: 963392458-1470618592
              • Opcode ID: 0f1809c3d434f70356b7d77246aec50dca41a62f43da190398fd94a0f742d478
              • Instruction ID: a5bca5a22f466ec471d0ca7153340ac8f5172cf5f46f2b8ade9ee5cc3394a37d
              • Opcode Fuzzy Hash: 0f1809c3d434f70356b7d77246aec50dca41a62f43da190398fd94a0f742d478
              • Instruction Fuzzy Hash: E4239F709042598FDB18CF68CC94BEDBBB5AF09304F1481EED449AB382E7759A85CF91
              Function 009CB6A0 Relevance: 14.8, APIs: 4, Strings: 4, Instructions: 840registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1207 9cb6a0-9cb6fc 1208 9cb6fe-9cb701 1207->1208 1209 9cb704-9cb72d 1207->1209 1208->1209 1211 9cb7e5-9cb7ec 1209->1211 1212 9cb733-9cb743 call aa50b2 1209->1212 1213 9cb7ee-9cb7fa 1211->1213 1214 9cb816-9cb826 1211->1214 1221 9cb749-9cb75d 1212->1221 1222 9cb7e4 1212->1222 1216 9cb80c-9cb813 call a9f511 1213->1216 1217 9cb7fc-9cb80a 1213->1217 1216->1214 1217->1216 1219 9cb827-9cb863 call aa47b0 call 9ca440 1217->1219 1234 9cb86a-9cb87e 1219->1234 1235 9cb865 1219->1235 1228 9cb75f-9cb78c 1221->1228 1229 9cb7db-9cb7e1 call aad7d6 1221->1229 1222->1211 1228->1229 1237 9cb78e-9cb79e call aa50b2 1228->1237 1229->1222 1236 9cb880-9cb88b 1234->1236 1235->1234 1236->1236 1238 9cb88d-9cb8bd 1236->1238 1237->1229 1243 9cb7a0-9cb7b9 1237->1243 1240 9cb8c0-9cb8c5 1238->1240 1240->1240 1242 9cb8c7-9cb921 call 9c2ae0 1240->1242 1247 9cb925-9cb930 1242->1247 1248 9cb7bb-9cb7bd 1243->1248 1249 9cb7d2-9cb7d8 call aad7d6 1243->1249 1247->1247 1250 9cb932-9cb94e RegOpenKeyExA 1247->1250 1251 9cb7c0-9cb7c5 1248->1251 1249->1229 1253 9cb954-9cb97d 1250->1253 1254 9cb9e5-9cb9f9 1250->1254 1251->1251 1255 9cb7c7-9cb7cd call a2a350 1251->1255 1258 9cb980-9cb98b 1253->1258 1257 9cba00-9cba0b 1254->1257 1255->1249 1257->1257 1260 9cba0d-9cba3d 1257->1260 1258->1258 1261 9cb98d-9cb9b1 RegQueryValueExA 1258->1261 1262 9cba40-9cba45 1260->1262 1263 9cb9dc-9cb9df 1261->1263 1264 9cb9b3-9cb9bc 1261->1264 1262->1262 1265 9cba47-9cba7f call 9c2ae0 call aa14f0 GetCurrentHwProfileA 1262->1265 1263->1254 1266 9cb9c0-9cb9c5 1264->1266 1273 9cbaac-9cbad9 call 9cb360 SetupDiGetClassDevsA 1265->1273 1274 9cba81-9cba8a 1265->1274 1266->1266 1268 9cb9c7-9cb9d7 call a2a350 1266->1268 1268->1263 1279 9cbb0d-9cbb1b call 9cb1a0 1273->1279 1280 9cbadb-9cbb0b 1273->1280 1276 9cba90-9cba95 1274->1276 1276->1276 1278 9cba97-9cbaa7 call a2a350 1276->1278 1278->1273 1282 9cbb1e-9cbb3c 1279->1282 1280->1282 1285 9cbb40-9cbb45 1282->1285 1285->1285 1286 9cbb47-9cbb58 1285->1286 1287 9cbb5e-9cbb6b 1286->1287 1288 9cc141 call 9c2270 1286->1288 1290 9cbb6d 1287->1290 1291 9cbb73-9cbb9a call a320e0 1287->1291 1292 9cc146 call aa47b0 1288->1292 1290->1291 1297 9cbb9c 1291->1297 1298 9cbba2-9cbbba 1291->1298 1296 9cc14b-9cc167 call aa47b0 1292->1296 1308 9cc169-9cc16b 1296->1308 1309 9cc182-9cc185 1296->1309 1297->1298 1299 9cbbbc-9cbbce 1298->1299 1300 9cbbf3-9cbc08 call a306c0 1298->1300 1302 9cbbd6-9cbbf1 call aa0f70 1299->1302 1303 9cbbd0 1299->1303 1311 9cbc0a-9cbd39 call a2a480 call a31ed0 call a2a480 call a31ed0 1300->1311 1302->1311 1303->1302 1312 9cc170-9cc17c 1308->1312 1322 9cbd6a-9cbd77 1311->1322 1323 9cbd3b-9cbd4a 1311->1323 1312->1312 1314 9cc17e 1312->1314 1314->1309 1326 9cbda8-9cbdcd 1322->1326 1327 9cbd79-9cbd88 1322->1327 1324 9cbd4c-9cbd5a 1323->1324 1325 9cbd60-9cbd67 call a9f511 1323->1325 1324->1292 1324->1325 1325->1322 1331 9cbdcf-9cbddb 1326->1331 1332 9cbdfb-9cbe05 1326->1332 1329 9cbd9e-9cbda5 call a9f511 1327->1329 1330 9cbd8a-9cbd98 1327->1330 1329->1326 1330->1292 1330->1329 1337 9cbddd-9cbdeb 1331->1337 1338 9cbdf1-9cbdf8 call a9f511 1331->1338 1333 9cbe07-9cbe13 1332->1333 1334 9cbe33-9cbe52 1332->1334 1340 9cbe29-9cbe30 call a9f511 1333->1340 1341 9cbe15-9cbe23 1333->1341 1342 9cbe54-9cbe63 1334->1342 1343 9cbe83-9cbeab 1334->1343 1337->1292 1337->1338 1338->1332 1340->1334 1341->1292 1341->1340 1347 9cbe79-9cbe80 call a9f511 1342->1347 1348 9cbe65-9cbe73 1342->1348 1349 9cbedc-9cbee6 1343->1349 1350 9cbead-9cbebc 1343->1350 1347->1343 1348->1292 1348->1347 1353 9cbee8-9cbef4 1349->1353 1354 9cbf14-9cbf9b 1349->1354 1351 9cbebe-9cbecc 1350->1351 1352 9cbed2-9cbed9 call a9f511 1350->1352 1351->1292 1351->1352 1352->1349 1358 9cbf0a-9cbf11 call a9f511 1353->1358 1359 9cbef6-9cbf04 1353->1359 1360 9cbf9d-9cbfa3 1354->1360 1361 9cbfa6-9cbfab 1354->1361 1358->1354 1359->1292 1359->1358 1360->1361 1365 9cbfad 1361->1365 1366 9cbfd6-9cbfd8 1361->1366 1370 9cbfb2-9cbfce call a45b20 1365->1370 1367 9cbfda-9cbffe call aa0f70 1366->1367 1368 9cc000 1366->1368 1372 9cc00a-9cc01d call a45980 1367->1372 1368->1372 1377 9cbfd0 1370->1377 1379 9cc01f-9cc02f 1372->1379 1380 9cc030-9cc04f 1372->1380 1377->1366 1379->1380 1381 9cc050-9cc055 1380->1381 1381->1381 1382 9cc057-9cc06e call 9c2ae0 1381->1382 1385 9cc09f-9cc0c3 1382->1385 1386 9cc070-9cc07f 1382->1386 1389 9cc0f8-9cc101 1385->1389 1390 9cc0c5-9cc0d6 1385->1390 1387 9cc095-9cc09c call a9f511 1386->1387 1388 9cc081-9cc08f 1386->1388 1387->1385 1388->1296 1388->1387 1394 9cc12e-9cc140 1389->1394 1395 9cc103-9cc112 1389->1395 1392 9cc0ee-9cc0f5 call a9f511 1390->1392 1393 9cc0d8-9cc0e9 1390->1393 1392->1389 1393->1296 1397 9cc0eb 1393->1397 1399 9cc124-9cc12b call a9f511 1395->1399 1400 9cc114-9cc122 1395->1400 1397->1392 1399->1394 1400->1296 1400->1399
              APIs
              • RegOpenKeyExA.KERNELBASE(80000002,C0D5DDC2,00000000,00020019,00000000,FAF8FCC4,FAF8FCC5), ref: 009CB947
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Open
              • String ID: :$_$_$_
              • API String ID: 71445658-4119709311
              • Opcode ID: 3e37df9ee472a7be6f308664dfb44132c577ea80b726c7eabe368cb3425df6b9
              • Instruction ID: 08e1f58c70529c87f88f8a56dec25c85b72794855a219343724b362791038605
              • Opcode Fuzzy Hash: 3e37df9ee472a7be6f308664dfb44132c577ea80b726c7eabe368cb3425df6b9
              • Instruction Fuzzy Hash: 0F72C3B0D002599FDF18CF68CC85BEEBBB5AF45304F1481ADE449AB282D7749A85CF61
              Function 009DE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1404 9de0a0-9de0d2 WSAStartup 1405 9de0d8-9de102 call 9c6bd0 * 2 1404->1405 1406 9de1b7-9de1c0 1404->1406 1411 9de10e-9de165 1405->1411 1412 9de104-9de108 1405->1412 1414 9de167-9de16d 1411->1414 1415 9de1b1 1411->1415 1412->1406 1412->1411 1416 9de16f 1414->1416 1417 9de1c5-9de1cf 1414->1417 1415->1406 1418 9de175-9de189 socket 1416->1418 1417->1415 1421 9de1d1-9de1d9 1417->1421 1418->1415 1420 9de18b-9de19b connect 1418->1420 1422 9de19d-9de1a5 closesocket 1420->1422 1423 9de1c1 1420->1423 1422->1418 1424 9de1a7-9de1ab 1422->1424 1423->1417 1424->1415
              APIs
              • WSAStartup.WS2_32 ref: 009DE0CB
              • socket.WS2_32(?,?,?,?,?,?,00AF7320,?,?,?,?,?,?), ref: 009DE17F
              • connect.WS2_32(00000000,?,00000000,?,?,?,00AF7320,?,?,?,?,?,?), ref: 009DE193
              • closesocket.WS2_32(00000000), ref: 009DE19E
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Startupclosesocketconnectsocket
              • String ID:
              • API String ID: 3098855095-0
              • Opcode ID: 50e87fa983c314c57accca48556bc0cd06cdf2c2fbb1d075e3c84405af64b4eb
              • Instruction ID: a3b48a49e3befaafe3d167f29256fa542e6dece079865463c2ef6b4e4c0cefad
              • Opcode Fuzzy Hash: 50e87fa983c314c57accca48556bc0cd06cdf2c2fbb1d075e3c84405af64b4eb
              • Instruction Fuzzy Hash: 9F31B6717493005FE7209F65884872BB7E8EB86764F004F1EF9A8963D0D37599044BA2
              Function 009D8C58 Relevance: 3.6, Strings: 2, Instructions: 1132COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: +$131
              • API String ID: 0-3749657548
              • Opcode ID: 13130e6c882094c9d7f852cd9ca2af88249f41f397924823f83a14ea271f55eb
              • Instruction ID: ebd95b6a9757bf7370ef1699f9df3a23e44993c0926030032aefe8eaa1b7bef1
              • Opcode Fuzzy Hash: 13130e6c882094c9d7f852cd9ca2af88249f41f397924823f83a14ea271f55eb
              • Instruction Fuzzy Hash: 53B26C70D002598FDB28DF28CD987DDBBB5AF49304F1482EAD409AB782D7759A85CF90
              Function 009D9259 Relevance: 3.3, Strings: 2, Instructions: 787COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: +$131
              • API String ID: 0-3749657548
              • Opcode ID: c40e115326674d6298e014117a5b5866911f56e4811afbed0c09d9dff8e054cf
              • Instruction ID: 1f5d2ef0122abed7b084c1617704a7dfb7f432f373365a2aecc03f8e7c8b04d3
              • Opcode Fuzzy Hash: c40e115326674d6298e014117a5b5866911f56e4811afbed0c09d9dff8e054cf
              • Instruction Fuzzy Hash: F6729D709002598FDB18DF68CD98BEDBBB5AF45304F2482EED019AB782D7749A85CF50
              Function 00A3A520 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1425 a3a520-a3a53f 1426 a3a651 call 9c2270 1425->1426 1427 a3a545-a3a558 1425->1427 1434 a3a656 call 9c21d0 1426->1434 1428 a3a580-a3a588 1427->1428 1429 a3a55a 1427->1429 1431 a3a591-a3a596 1428->1431 1432 a3a58a-a3a58f 1428->1432 1433 a3a55c-a3a561 1429->1433 1436 a3a59a-a3a5a2 1431->1436 1437 a3a598 1431->1437 1432->1433 1438 a3a564-a3a56f call a9f290 1433->1438 1439 a3a65b-a3a681 call aa47b0 call a28450 1434->1439 1440 a3a5b1-a3a5b3 1436->1440 1441 a3a5a4-a3a5a9 1436->1441 1437->1436 1438->1439 1448 a3a575-a3a57e 1438->1448 1460 a3a683-a3a68c 1439->1460 1461 a3a6aa-a3a6bc 1439->1461 1445 a3a5c2 1440->1445 1446 a3a5b5-a3a5b6 call a9f290 1440->1446 1441->1434 1444 a3a5af 1441->1444 1444->1438 1451 a3a5c4-a3a5e3 1445->1451 1453 a3a5bb-a3a5c0 1446->1453 1448->1451 1454 a3a632-a3a64e call aa0f70 * 2 1451->1454 1455 a3a5e5-a3a607 call aa0f70 * 2 1451->1455 1453->1451 1472 a3a61b-a3a62f call a9f511 1455->1472 1473 a3a609-a3a617 1455->1473 1464 a3a6a0-a3a6a7 call a9f511 1460->1464 1465 a3a68e-a3a69c 1460->1465 1464->1461 1468 a3a69e 1465->1468 1469 a3a6bd-a3a6d9 call aa47b0 1465->1469 1468->1464 1479 a3a6db-a3a6e1 1469->1479 1480 a3a71d-a3a724 1469->1480 1473->1439 1476 a3a619 1473->1476 1476->1472 1482 a3a6e3-a3a6ed 1479->1482 1483 a3a70b-a3a719 1479->1483 1484 a3a731 1480->1484 1485 a3a726-a3a72e call a9f511 1480->1485 1486 a3a701-a3a708 call a9f511 1482->1486 1487 a3a6ef-a3a6fd 1482->1487 1483->1480 1485->1484 1486->1483 1489 a3a732-a3a74c call aa47b0 call a2fa40 1487->1489 1490 a3a6ff 1487->1490 1490->1486
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 00A3A656
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID: pected $unexpected
              • API String ID: 118556049-356062554
              • Opcode ID: a488096d346ddb20ad401a233e08d86b5c368dbbab1f4f7ebdf35b9828553d39
              • Instruction ID: 8df9bf15d2e3d6343c41cc4f4997b2b20c4304e511673dd9ef78d9bacf5a0b48
              • Opcode Fuzzy Hash: a488096d346ddb20ad401a233e08d86b5c368dbbab1f4f7ebdf35b9828553d39
              • Instruction Fuzzy Hash: 27515A726001209FDB18EF28DD81A6EB7E5EF95310F24462DF886CB686DB30ED4187D2
              Function 009CA690 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1498 9ca690-9ca6a7 call a9e812 1501 9ca6fe-9ca722 call a9e4bb call a9e812 1498->1501 1502 9ca6a9-9ca6ab 1498->1502 1515 9ca73f-9ca745 call a9e4bb 1501->1515 1516 9ca724-9ca73e call a9e823 1501->1516 1504 9ca6ad-9ca6af 1502->1504 1505 9ca6e7 1502->1505 1507 9ca6b2-9ca6b7 1504->1507 1508 9ca6e9-9ca6fd call a9e823 1505->1508 1507->1507 1510 9ca6b9-9ca6bb 1507->1510 1510->1505 1514 9ca6bd-9ca6c7 GetFileAttributesA 1510->1514 1517 9ca6c9-9ca6d2 1514->1517 1518 9ca6e3-9ca6e5 1514->1518 1517->1518 1524 9ca6d4-9ca6d7 1517->1524 1518->1508 1524->1518 1526 9ca6d9-9ca6dc 1524->1526 1526->1518 1527 9ca6de-9ca6e1 1526->1527 1527->1505 1527->1518
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile
              • String ID:
              • API String ID: 1886074773-0
              • Opcode ID: 4431b051a9b591b744f1877221082096fe3d1b44a4aca31e4795d0046187f9c3
              • Instruction ID: 03131cd43c624cc0baed9e7abf51cf07fe0258d778aa8af7ff86981e4ad8f862
              • Opcode Fuzzy Hash: 4431b051a9b591b744f1877221082096fe3d1b44a4aca31e4795d0046187f9c3
              • Instruction Fuzzy Hash: 24014991F40129226D34A5B42E86EBF654C88933AC71D4D3AFC41D7347F447CD4041E3
              Function 009CA090 Relevance: 3.3, APIs: 2, Instructions: 342COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1843 9ca090-9ca12b call a9f290 call 9c2ae0 1848 9ca130-9ca13b 1843->1848 1848->1848 1849 9ca13d-9ca148 1848->1849 1850 9ca14d-9ca15e call aa5362 1849->1850 1851 9ca14a 1849->1851 1854 9ca1c4-9ca1ca 1850->1854 1855 9ca160-9ca189 call aa9136 call aa4eeb call aa9136 1850->1855 1851->1850 1856 9ca1cc-9ca1d8 1854->1856 1857 9ca1f4-9ca206 1854->1857 1872 9ca19b-9ca1a2 call a2cf60 1855->1872 1873 9ca18b-9ca18f 1855->1873 1859 9ca1ea-9ca1f1 call a9f511 1856->1859 1860 9ca1da-9ca1e8 1856->1860 1859->1857 1860->1859 1862 9ca207-9ca2ab call aa47b0 call a9f290 call 9c2ae0 1860->1862 1883 9ca2b0-9ca2bb 1862->1883 1879 9ca1a7-9ca1ad 1872->1879 1875 9ca191 1873->1875 1876 9ca193-9ca199 1873->1876 1875->1876 1876->1879 1881 9ca1af 1879->1881 1882 9ca1b1-9ca1c1 call aadbdf call aa8be8 1879->1882 1881->1882 1882->1854 1883->1883 1885 9ca2bd-9ca2c8 1883->1885 1887 9ca2cd-9ca2de call aa5362 1885->1887 1888 9ca2ca 1885->1888 1893 9ca2e0-9ca305 call aa9136 call aa4eeb call aa9136 1887->1893 1894 9ca351-9ca357 1887->1894 1888->1887 1912 9ca30c-9ca316 1893->1912 1913 9ca307 1893->1913 1896 9ca359-9ca365 1894->1896 1897 9ca381-9ca393 1894->1897 1899 9ca377-9ca37e call a9f511 1896->1899 1900 9ca367-9ca375 1896->1900 1899->1897 1900->1899 1902 9ca394-9ca3ae call aa47b0 1900->1902 1909 9ca3b0-9ca3bb 1902->1909 1909->1909 1911 9ca3bd-9ca3c8 1909->1911 1914 9ca3cd-9ca3df call aa5362 1911->1914 1915 9ca3ca 1911->1915 1916 9ca328-9ca32f call a2cf60 1912->1916 1917 9ca318-9ca31c 1912->1917 1913->1912 1926 9ca3fc-9ca403 1914->1926 1927 9ca3e1-9ca3f9 call aa9136 call aa4eeb call aa8be8 1914->1927 1915->1914 1922 9ca334-9ca33a 1916->1922 1920 9ca31e 1917->1920 1921 9ca320-9ca326 1917->1921 1920->1921 1921->1922 1924 9ca33c 1922->1924 1925 9ca33e-9ca349 call aadbdf call aa8be8 1922->1925 1924->1925 1942 9ca34e 1925->1942 1928 9ca42d-9ca433 1926->1928 1929 9ca405-9ca411 1926->1929 1927->1926 1932 9ca423-9ca42a call a9f511 1929->1932 1933 9ca413-9ca421 1929->1933 1932->1928 1933->1932 1936 9ca434-9ca439 call aa47b0 1933->1936 1942->1894
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: 6ad00d6ebb3e1e3234bc2e7a8cbb054864a5c8b3e6944d5dd940b992d216183e
              • Instruction ID: a3494f98f19e308f7e98da6387b6597decab6796fc95e15bb319526c902a7ae2
              • Opcode Fuzzy Hash: 6ad00d6ebb3e1e3234bc2e7a8cbb054864a5c8b3e6944d5dd940b992d216183e
              • Instruction Fuzzy Hash: 8EB14570900249AFDB18DF28CD45FAFBBE8EF46304F10856DF4059B682D3B49A41CBA2
              Function 00AB4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1947 ab4623-ab4633 1948 ab464d-ab464f 1947->1948 1949 ab4635-ab4648 call aad22c call aad23f 1947->1949 1951 ab498f-ab499c call aad22c call aad23f 1948->1951 1952 ab4655-ab465b 1948->1952 1963 ab49a7 1949->1963 1970 ab49a2 call aa47a0 1951->1970 1952->1951 1954 ab4661-ab468a 1952->1954 1954->1951 1957 ab4690-ab4699 1954->1957 1960 ab469b-ab46ae call aad22c call aad23f 1957->1960 1961 ab46b3-ab46b5 1957->1961 1960->1970 1966 ab498b-ab498d 1961->1966 1967 ab46bb-ab46bf 1961->1967 1968 ab49aa-ab49ad 1963->1968 1966->1968 1967->1966 1971 ab46c5-ab46c9 1967->1971 1970->1963 1971->1960 1972 ab46cb-ab46e2 1971->1972 1975 ab4717-ab471d 1972->1975 1976 ab46e4-ab46e7 1972->1976 1980 ab471f-ab4726 1975->1980 1981 ab46f1-ab4708 call aad22c call aad23f call aa47a0 1975->1981 1978 ab46e9-ab46ef 1976->1978 1979 ab470d-ab4715 1976->1979 1978->1979 1978->1981 1983 ab478a-ab47a9 1979->1983 1984 ab472a-ab4748 call ab6e2d call ab6db3 * 2 1980->1984 1985 ab4728 1980->1985 2010 ab48c2 1981->2010 1987 ab47af-ab47bb 1983->1987 1988 ab4865-ab486e call ac0d44 1983->1988 2014 ab474a-ab4760 call aad23f call aad22c 1984->2014 2015 ab4765-ab4788 call aae13d 1984->2015 1985->1984 1987->1988 1993 ab47c1-ab47c3 1987->1993 2001 ab48df 1988->2001 2002 ab4870-ab4882 1988->2002 1993->1988 1994 ab47c9-ab47ea 1993->1994 1994->1988 1998 ab47ec-ab4802 1994->1998 1998->1988 2003 ab4804-ab4806 1998->2003 2007 ab48e3-ab48f9 ReadFile 2001->2007 2002->2001 2006 ab4884-ab4893 2002->2006 2003->1988 2008 ab4808-ab482b 2003->2008 2006->2001 2024 ab4895-ab4899 2006->2024 2011 ab48fb-ab4901 2007->2011 2012 ab4957-ab4962 2007->2012 2008->1988 2013 ab482d-ab4843 2008->2013 2016 ab48c5-ab48cf call ab6db3 2010->2016 2011->2012 2018 ab4903 2011->2018 2026 ab497b-ab497e 2012->2026 2027 ab4964-ab4976 call aad23f call aad22c 2012->2027 2013->1988 2020 ab4845-ab4847 2013->2020 2014->2010 2015->1983 2016->1968 2019 ab4906-ab4918 2018->2019 2019->2016 2028 ab491a-ab491e 2019->2028 2020->1988 2029 ab4849-ab4860 2020->2029 2024->2007 2033 ab489b-ab48b3 2024->2033 2037 ab48bb-ab48c1 call aad1e5 2026->2037 2038 ab4984-ab4986 2026->2038 2027->2010 2035 ab4920-ab4930 call ab4335 2028->2035 2036 ab4937-ab4944 2028->2036 2029->1988 2047 ab48b5 2033->2047 2048 ab48d4-ab48dd 2033->2048 2055 ab4933-ab4935 2035->2055 2044 ab4950-ab4955 call ab417b 2036->2044 2045 ab4946 call ab448c 2036->2045 2037->2010 2038->2016 2056 ab494b-ab494e 2044->2056 2045->2056 2047->2037 2048->2019 2055->2016 2056->2055
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4a66df2477907882cf8fb7e9948232d24ed2e6165096c230851c8824ff3bc262
              • Instruction ID: 335c36f1baaf5c9b8f4e191d0d660ccfdd978e84ed3d6184eb9877552e74eea7
              • Opcode Fuzzy Hash: 4a66df2477907882cf8fb7e9948232d24ed2e6165096c230851c8824ff3bc262
              • Instruction Fuzzy Hash: E6B1C270A04245AFEB11DFE8D981BFEBBB9AF4E310F144158E595AB283C7719D42CB60
              Function 00AB549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2301 ab549c-ab54be 2302 ab56b1 2301->2302 2303 ab54c4-ab54c6 2301->2303 2304 ab56b3-ab56b7 2302->2304 2305 ab54c8-ab54e7 call aa4723 2303->2305 2306 ab54f2-ab5515 2303->2306 2314 ab54ea-ab54ed 2305->2314 2308 ab551b-ab5521 2306->2308 2309 ab5517-ab5519 2306->2309 2308->2305 2310 ab5523-ab5534 2308->2310 2309->2308 2309->2310 2312 ab5547-ab5557 call ab4fe1 2310->2312 2313 ab5536-ab5544 call aae17d 2310->2313 2319 ab5559-ab555f 2312->2319 2320 ab55a0-ab55b2 2312->2320 2313->2312 2314->2304 2323 ab5588-ab559e call ab4bb2 2319->2323 2324 ab5561-ab5564 2319->2324 2321 ab5609-ab5629 WriteFile 2320->2321 2322 ab55b4-ab55ba 2320->2322 2325 ab562b-ab5631 2321->2325 2326 ab5634 2321->2326 2328 ab55bc-ab55bf 2322->2328 2329 ab55f5-ab5607 call ab505e 2322->2329 2340 ab5581-ab5583 2323->2340 2330 ab556f-ab557e call ab4f79 2324->2330 2331 ab5566-ab5569 2324->2331 2325->2326 2333 ab5637-ab5642 2326->2333 2334 ab55e1-ab55f3 call ab5222 2328->2334 2335 ab55c1-ab55c4 2328->2335 2352 ab55dc-ab55df 2329->2352 2330->2340 2331->2330 2336 ab5649-ab564c 2331->2336 2341 ab56ac-ab56af 2333->2341 2342 ab5644-ab5647 2333->2342 2334->2352 2343 ab55ca-ab55d7 call ab5139 2335->2343 2344 ab564f-ab5651 2335->2344 2336->2344 2340->2333 2341->2304 2342->2336 2343->2352 2349 ab567f-ab568b 2344->2349 2350 ab5653-ab5658 2344->2350 2355 ab568d-ab5693 2349->2355 2356 ab5695-ab56a7 2349->2356 2353 ab565a-ab566c 2350->2353 2354 ab5671-ab567a call aad208 2350->2354 2352->2340 2353->2314 2354->2314 2355->2302 2355->2356 2356->2314
              APIs
              • WriteFile.KERNELBASE(?,00000000,00AA9087,?,00000000,00000000,00000000,?,00000000,?,00A9E5B1,00AA9087,00000000,00A9E5B1,?,?), ref: 00AB5622
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 4898ace1715669549befadd0c57a55357d572d95517a41dc8949598f6f996009
              • Instruction ID: 6f71359e009e5083f3ab8bb404bc8f2ce0f292f88ef7c3e9218436aa4c556c32
              • Opcode Fuzzy Hash: 4898ace1715669549befadd0c57a55357d572d95517a41dc8949598f6f996009
              • Instruction Fuzzy Hash: 8D618A71D04519AFDF11DFB8C984BEEBBBEAB49304F180149E804A7256D372DA128BA0
              Function 00AA4942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2359 aa4942-aa494f 2360 aa4979-aa498d call ab5f82 2359->2360 2361 aa4951-aa4974 call aa4723 2359->2361 2366 aa498f 2360->2366 2367 aa4992-aa499b call aae11f 2360->2367 2368 aa4ae0-aa4ae2 2361->2368 2366->2367 2370 aa49a0-aa49af 2367->2370 2371 aa49bf-aa49c8 2370->2371 2372 aa49b1 2370->2372 2375 aa49ca-aa49d7 2371->2375 2376 aa49dc-aa4a10 2371->2376 2373 aa4a89-aa4a8e 2372->2373 2374 aa49b7-aa49b9 2372->2374 2377 aa4ade-aa4adf 2373->2377 2374->2371 2374->2373 2378 aa4adc 2375->2378 2379 aa4a6d-aa4a79 2376->2379 2380 aa4a12-aa4a1c 2376->2380 2377->2368 2378->2377 2381 aa4a7b-aa4a82 2379->2381 2382 aa4a90-aa4a93 2379->2382 2383 aa4a1e-aa4a2a 2380->2383 2384 aa4a43-aa4a4f 2380->2384 2381->2373 2386 aa4a96-aa4a9e 2382->2386 2383->2384 2387 aa4a2c-aa4a3e call aa4cae 2383->2387 2384->2382 2385 aa4a51-aa4a6b call aa4e59 2384->2385 2385->2386 2389 aa4ada 2386->2389 2390 aa4aa0-aa4aa6 2386->2390 2387->2377 2389->2378 2393 aa4aa8-aa4abc call aa4ae3 2390->2393 2394 aa4abe-aa4ac2 2390->2394 2393->2377 2397 aa4ac4-aa4ad2 call ac4a10 2394->2397 2398 aa4ad5-aa4ad7 2394->2398 2397->2398 2398->2389
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ae92c7eb9fb5b618f69f2520a7a31f5119956e42bddec90398092efef3457ba0
              • Instruction ID: 9df91193ad47d8e328cc5e64cf055d7c8224324f92d6d42b1705999b0131d1c4
              • Opcode Fuzzy Hash: ae92c7eb9fb5b618f69f2520a7a31f5119956e42bddec90398092efef3457ba0
              • Instruction Fuzzy Hash: 4451C870A00108AFDF14CF58CC41AAABFB5EF8E354F248159F8499B292D3B1DE51CB94
              Function 00A30560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2402 a30560-a3057f 2403 a30585-a30598 2402->2403 2404 a306a9 call 9c2270 2402->2404 2405 a305c0-a305c8 2403->2405 2406 a3059a 2403->2406 2408 a306ae call 9c21d0 2404->2408 2409 a305d1-a305d5 2405->2409 2410 a305ca-a305cf 2405->2410 2411 a3059c-a305a1 2406->2411 2416 a306b3-a306b8 call aa47b0 2408->2416 2413 a305d7 2409->2413 2414 a305d9-a305e1 2409->2414 2410->2411 2415 a305a4-a305a5 call a9f290 2411->2415 2413->2414 2417 a305e3-a305e8 2414->2417 2418 a305f0-a305f2 2414->2418 2420 a305aa-a305af 2415->2420 2417->2408 2422 a305ee 2417->2422 2423 a30601 2418->2423 2424 a305f4-a305ff call a9f290 2418->2424 2420->2416 2425 a305b5-a305be 2420->2425 2422->2415 2428 a30603-a30629 2423->2428 2424->2428 2425->2428 2430 a30680-a306a6 call aa0f70 call aa14f0 2428->2430 2431 a3062b-a30655 call aa0f70 call aa14f0 2428->2431 2440 a30657-a30665 2431->2440 2441 a30669-a3067d call a9f511 2431->2441 2440->2416 2442 a30667 2440->2442 2442->2441
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 00A306AE
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID:
              • API String ID: 118556049-0
              • Opcode ID: 704878a6fb962aec51445f9c7907984ce5d7d965d91800b1a8fb89f3cbd27ced
              • Instruction ID: 1ad68154c4365241c4c180f7a32d4147a4daf80eac10e96cbc092814763ec26a
              • Opcode Fuzzy Hash: 704878a6fb962aec51445f9c7907984ce5d7d965d91800b1a8fb89f3cbd27ced
              • Instruction Fuzzy Hash: 5E410472A002189FCB15DF68DD91AAEBBE5AF89310F144169FC05EB346D770DE608BE1
              Function 00AB4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2445 ab4b12-ab4b26 call aba6de 2448 ab4b28-ab4b2a 2445->2448 2449 ab4b2c-ab4b34 2445->2449 2450 ab4b7a-ab4b9a call aba64d 2448->2450 2451 ab4b3f-ab4b42 2449->2451 2452 ab4b36-ab4b3d 2449->2452 2461 ab4bac 2450->2461 2462 ab4b9c-ab4baa call aad208 2450->2462 2455 ab4b60-ab4b70 call aba6de FindCloseChangeNotification 2451->2455 2456 ab4b44-ab4b48 2451->2456 2452->2451 2454 ab4b4a-ab4b5e call aba6de * 2 2452->2454 2454->2448 2454->2455 2455->2448 2465 ab4b72-ab4b78 2455->2465 2456->2454 2456->2455 2467 ab4bae-ab4bb1 2461->2467 2462->2467 2465->2450
              APIs
              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00AB49F9,00000000,CF830579,00AF1140,0000000C,00AB4AB5,00AA8BBD,?), ref: 00AB4B69
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 87cb92b2ab3e9b794b205cc63b85cea529505bcc1145bcffcb5b6bd405af1164
              • Instruction ID: 666a185781d370e96541e27518a7ea4c295a0ad99284c358350717f06cdfd1f8
              • Opcode Fuzzy Hash: 87cb92b2ab3e9b794b205cc63b85cea529505bcc1145bcffcb5b6bd405af1164
              • Instruction Fuzzy Hash: 1F118E3370412416D72463746951BFE6B4DCBDA770F2A0609FA549B0C3FE31DC424155
              Function 00AAE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2471 aae05c-aae074 call aba6de 2474 aae08a-aae0a0 SetFilePointerEx 2471->2474 2475 aae076-aae07d 2471->2475 2477 aae0a2-aae0b3 call aad208 2474->2477 2478 aae0b5-aae0bf 2474->2478 2476 aae084-aae088 2475->2476 2479 aae0db-aae0de 2476->2479 2477->2476 2478->2476 2480 aae0c1-aae0d6 2478->2480 2480->2479
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00AF0DF8,00A9E5B1,00000002,00A9E5B1,00000000,?,?,?,00AAE166,00000000,?,00A9E5B1,00000002,00AF0DF8), ref: 00AAE099
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 313070b58582bfc98f9b3b3032886fdf3d5952510f0847bb13a37888ec860805
              • Instruction ID: 305b7e2969cc3eb88c4787ad80fa5b8506d4fb964bfe6fa67d0191c19bebe167
              • Opcode Fuzzy Hash: 313070b58582bfc98f9b3b3032886fdf3d5952510f0847bb13a37888ec860805
              • Instruction Fuzzy Hash: 7D012632210155ABCF05CF58CC45DAE3B29DB86330B240248F8909B2D1E7B1ED518BD0
              Function 00A9F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2484 a9f290-a9f293 2485 a9f2a2-a9f2a5 call aadf2c 2484->2485 2487 a9f2aa-a9f2ad 2485->2487 2488 a9f2af-a9f2b0 2487->2488 2489 a9f295-a9f2a0 call ab17d8 2487->2489 2489->2485 2492 a9f2b1-a9f2b5 2489->2492 2493 a9f2bb 2492->2493 2494 9c21d0-9c2220 call 9c21b0 call aa0efb call aa0651 2492->2494 2493->2493
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 009C220E
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID:
              • API String ID: 2659868963-0
              • Opcode ID: f1040d02a7b8af5927d359f123d5d53e73013dcd4f601495220b349b61233c9b
              • Instruction ID: 75ab64f9485b52fe4ffeabe541f52b020d2a8f439af09e1108efcf3d5521558b
              • Opcode Fuzzy Hash: f1040d02a7b8af5927d359f123d5d53e73013dcd4f601495220b349b61233c9b
              • Instruction Fuzzy Hash: 9601DB7560430DAFCF14AFA8DC01E9977EC9A01310B544439FA19DB591EB70E9548795
              Function 00AB63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2501 ab63f3-ab63fe 2502 ab640c-ab6412 2501->2502 2503 ab6400-ab640a 2501->2503 2505 ab642b-ab643c RtlAllocateHeap 2502->2505 2506 ab6414-ab6415 2502->2506 2503->2502 2504 ab6440-ab644b call aad23f 2503->2504 2512 ab644d-ab644f 2504->2512 2507 ab643e 2505->2507 2508 ab6417-ab641e call ab3f93 2505->2508 2506->2505 2507->2512 2508->2504 2514 ab6420-ab6429 call ab17d8 2508->2514 2514->2504 2514->2505
              APIs
              • RtlAllocateHeap.NTDLL(00000008,00A9D6FA,00000004,?,00AB5D79,00000001,00000364,00000004,00000007,000000FF,?,00AA067B,00000002,00000000,?,?), ref: 00AB6435
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 961155da5c835c7716a9c0c6f7e3ab623a8b5d9186aff92a399cbda8b11bf5f5
              • Instruction ID: 35534e36daa6a7193ed62bfcb7ac61687439c0caf309e813ecc6901361594610
              • Opcode Fuzzy Hash: 961155da5c835c7716a9c0c6f7e3ab623a8b5d9186aff92a399cbda8b11bf5f5
              • Instruction Fuzzy Hash: 6BF0E931501924669B216B629F02BEB3B5C9F81764F258011EC0697082CF34D81186F1
              Function 00AB6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2517 ab6e2d-ab6e39 2518 ab6e6b-ab6e76 call aad23f 2517->2518 2519 ab6e3b-ab6e3d 2517->2519 2527 ab6e78-ab6e7a 2518->2527 2520 ab6e3f-ab6e40 2519->2520 2521 ab6e56-ab6e67 RtlAllocateHeap 2519->2521 2520->2521 2523 ab6e69 2521->2523 2524 ab6e42-ab6e49 call ab3f93 2521->2524 2523->2527 2524->2518 2529 ab6e4b-ab6e54 call ab17d8 2524->2529 2529->2518 2529->2521
              APIs
              • RtlAllocateHeap.NTDLL(00000000,00000004,00000000,?,00AA067B,00000002,00000000,?,?,?,009C303D,00A9D6FA,00000004,00000000,00A9D6FA), ref: 00AB6E60
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 8c3fe27c9d730e36894d9f14d05e3c0335e2990315157532132a127246ac8d43
              • Instruction ID: 16417ffbf9fa17b5026b0138637c36b2b40b414abd38c74b796ba8e8ac9a5597
              • Opcode Fuzzy Hash: 8c3fe27c9d730e36894d9f14d05e3c0335e2990315157532132a127246ac8d43
              • Instruction Fuzzy Hash: 91E0ED3A1006216ADA3123A5CE00BEB765D9F823A0F150520EC46970D3CF28C80087A4

              Non-executed Functions

              Function 009D9F50 Relevance: 21.6, APIs: 2, Strings: 9, Instructions: 2331injectionCOMMON
              Download Yara Rule
              APIs
              • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000218,00000000,00AF4D8C,0000000E,0000003A,?), ref: 009DA1BC
              • WriteProcessMemory.KERNEL32(00AC6605,00000218,009D9E30,00000110,00000000), ref: 009DA1DB
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: MemoryProcessWrite
              • String ID: $$%s|%s$,$,$.$.$131$:$type must be boolean, but is
              • API String ID: 3559483778-3347632522
              • Opcode ID: d5719ba756367e688d188f8598775700cf0ae8ac829fab61975f3020b66565e3
              • Instruction ID: 8bc1a67c68a09a1eb09a056266cc0ce3ebbc384d07e8c02e522974f8542872ec
              • Opcode Fuzzy Hash: d5719ba756367e688d188f8598775700cf0ae8ac829fab61975f3020b66565e3
              • Instruction Fuzzy Hash: C523BE70D40259CFDF24DF68C958BEDBBB4AF05300F1481AAE449AB392DB359A85CF91
              Function 00A43F80 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 263libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00A440CC
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00A44116
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00A4414E
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00A44196
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00A441E9
              Strings
              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36, xrefs: 00A44037
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc
              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              • API String ID: 190572456-383447037
              • Opcode ID: 8359fe96b08b882d011e327344922773e4e3b01436caf623ae0e8a2baf98a27c
              • Instruction ID: 12d1c3f1aef296936772a61bb055363159df2285a71087182985ac6543109fa4
              • Opcode Fuzzy Hash: 8359fe96b08b882d011e327344922773e4e3b01436caf623ae0e8a2baf98a27c
              • Instruction Fuzzy Hash: EEC13BB08183999FDB04CFA8D495BEDBFF9EF19304F1040AEE845AB652E3744509CB69
              Function 009C91A0 Relevance: 9.9, APIs: 2, Strings: 3, Instructions: 1146COMMON
              Download Yara Rule
              APIs
              • Process32Next.KERNEL32(00000000,00000128), ref: 009C92B0
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: NextProcess32
              • String ID: /$/\/$\
              • API String ID: 1850201408-1523196992
              • Opcode ID: 5b6ab1ae438a9043ee5e6223bc86418be68334faa98a8209ce18782eae1bbd12
              • Instruction ID: 96e2757bcce2a8c4f008d9d8598c4d622ba4a8bb2e13bade7b15e82e141fa3e5
              • Opcode Fuzzy Hash: 5b6ab1ae438a9043ee5e6223bc86418be68334faa98a8209ce18782eae1bbd12
              • Instruction Fuzzy Hash: AA921771D002599FDF18CFA8C898BEEFBB9BF45314F1442ADD445AB281E7309A46CB52
              Function 009D48E0 Relevance: 7.1, APIs: 4, Instructions: 1131registryCOMMON
              Download Yara Rule
              APIs
              • RegCreateKeyExA.ADVAPI32(?,C0D5DDC2,00000000,00000000,00000000,00020006,00000000,?,00000000), ref: 009D4A3A
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Create
              • String ID:
              • API String ID: 2289755597-0
              • Opcode ID: 857af718fe2d50ebbe441ad4489b88b871ab2e6bd1dae7a5aff6911d6c7b1d97
              • Instruction ID: fbff3a41bb419b657cb4931cf55e3c063286512168a8688233a93e6c1197d620
              • Opcode Fuzzy Hash: 857af718fe2d50ebbe441ad4489b88b871ab2e6bd1dae7a5aff6911d6c7b1d97
              • Instruction Fuzzy Hash: 8CB28770A542A98FDB28CF58C8A4BAEBBB1FF44704F15808ED4496F352D771AA45CF90
              Function 00A49880 Relevance: 7.0, Strings: 5, Instructions: 748COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: header crc mismatch$incorrect header check$invalid window size$unknown compression method$unknown header flags set
              • API String ID: 0-3633268661
              • Opcode ID: 15ca366e75fa8c10c254f908ee94aa9492cce4dde3d54722813fb4d1f5fc96c3
              • Instruction ID: 9e7956d0a63558c0573ad5c2003a7336dd8715a4db41fc44039db14c12ea1133
              • Opcode Fuzzy Hash: 15ca366e75fa8c10c254f908ee94aa9492cce4dde3d54722813fb4d1f5fc96c3
              • Instruction Fuzzy Hash: 46628EB8E002149FDB14CF59C5847AEBBF1AFC8304F2881ADD818AB346D735D956CB91
              Function 009D6689 Relevance: 6.7, APIs: 1, Strings: 2, Instructions: 1432COMMON
              Download Yara Rule
              APIs
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock
              • String ID: *$\
              • API String ID: 1418687624-1504634461
              • Opcode ID: c022c4fa5e122ecf5f927597bb4d891e9c62edd807108eb7e45cb40199314abe
              • Instruction ID: ac382e2c54958e055d70e493c0d52ce76395f37677ce84baa3db0234365f57ad
              • Opcode Fuzzy Hash: c022c4fa5e122ecf5f927597bb4d891e9c62edd807108eb7e45cb40199314abe
              • Instruction Fuzzy Hash: 6DD27B709042598FDB68CF68CD947DDBBB1BF09304F1482EAD449AB382E7749A85CF91
              Function 00AA84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction ID: 39c395ea247047d93d92e9e3b953af9ffbeb4cc6f809ce1ff5d5acd03843d51f
              • Opcode Fuzzy Hash: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction Fuzzy Hash: 03021A71E012199FDF14CFA9C980AAEFBF1FF49314F248269D919E7380DB35A9418B94
              Function 009DC0A0 Relevance: 6.3, Strings: 4, Instructions: 1274COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: AddressConcurrency::cancel_current_taskProc
              • String ID: C$Content-Type: application/x-www-form-urlencoded$https://ipinfo.io/$https://www.maxmind.com/en/locate-my-ip-address
              • API String ID: 3114269349-2400714340
              • Opcode ID: b64d336c96de62e637af15463609e9fd1197f89b54c21b0a77184c78d593815f
              • Instruction ID: d926ed43a6c26516750bd5dbd53b56b0b3915fdf8fb9483c1f31182eac5ffec4
              • Opcode Fuzzy Hash: b64d336c96de62e637af15463609e9fd1197f89b54c21b0a77184c78d593815f
              • Instruction Fuzzy Hash: 1AC27F70D042689ADF25EB68CD56BEDBB78AF15304F0040E9E54977282EB701F89CF66
              Function 00A46C00 Relevance: 3.6, Strings: 2, Instructions: 1073COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: buffer error$stream error
              • API String ID: 0-1018483818
              • Opcode ID: e21fd3bce77d302f0e81b36522a3e9a510c4b4fe917176cd98be63db006458db
              • Instruction ID: ca60dba9121cde46521c219018baf8e483ccd18cd8b3767b122badee30fc4a01
              • Opcode Fuzzy Hash: e21fd3bce77d302f0e81b36522a3e9a510c4b4fe917176cd98be63db006458db
              • Instruction Fuzzy Hash: 11A26B78A04A42DFCB24CF68D180A6AB7F1FF89304B14866DD4458BB51D734F996CBA2
              Function 00A568C0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: __allrem
              • String ID:
              • API String ID: 2933888876-0
              • Opcode ID: d68308bb606b7786100e1441d07846ff0e98ad75e9aee0bbeb807362fecbbeb3
              • Instruction ID: 3169e6ba65b861f2cf4c18b5ea0f3cc86386854d5eb412f30e4e8d31bead8767
              • Opcode Fuzzy Hash: d68308bb606b7786100e1441d07846ff0e98ad75e9aee0bbeb807362fecbbeb3
              • Instruction Fuzzy Hash: 10818075A011459FDB08CF9CCC80BAEBBB5AF99300F5480A9ED15EB342D275EE05CB91
              Function 00A563D0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON
              Download Yara Rule
              APIs
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: __allrem
              • String ID:
              • API String ID: 2933888876-0
              • Opcode ID: fb8d51b74640016ad67efaf679fb633d377aeed372739de2500c462ff0dbf93c
              • Instruction ID: 3ce1bd2ca1fad1ab1118d478d21b18522f99800154dc85921d452d175ccb235d
              • Opcode Fuzzy Hash: fb8d51b74640016ad67efaf679fb633d377aeed372739de2500c462ff0dbf93c
              • Instruction Fuzzy Hash: AA616B716107409FCB28CF6DC88096AFBF5AF95300B548AAEDC86DB752D630E955CB90
              Function 00AABEAF Relevance: 1.6, Strings: 1, Instructions: 333COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: d1e01285008eef21aaa1c5ee474bf5d9151a34602e4e31146ef491a3a414d072
              • Instruction ID: 1b5cf49925f47e70933420decf137b31488bac9725f75c6df869d96296f31216
              • Opcode Fuzzy Hash: d1e01285008eef21aaa1c5ee474bf5d9151a34602e4e31146ef491a3a414d072
              • Instruction Fuzzy Hash: 41C1CF74A0064ACFEB24CF68C984A7EBBB1AF07320F184619D856976D2D731ED45CF61
              Function 00AABB6D Relevance: 1.6, Strings: 1, Instructions: 318COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: 0
              • API String ID: 0-4108050209
              • Opcode ID: c6bb5f23fa7c0b5f510aae38f377518c23ca2af4f7402271d35970703ee522a7
              • Instruction ID: cee9b13e42bf7d0eef9fc30f2ff0671c06f4b637dd0967937719c2563d313c2e
              • Opcode Fuzzy Hash: c6bb5f23fa7c0b5f510aae38f377518c23ca2af4f7402271d35970703ee522a7
              • Instruction Fuzzy Hash: EBB1C57092060A8BCB34CF68C5A5ABEBBB1AF07320F14061ED5529B6D3DB359D05CB71
              Function 00A9F26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
              Download Yara Rule
              APIs
              • GetSystemTimePreciseAsFileTime.KERNEL32(?,00A9EC78,?,?,?,?,009D40EB,?,009DF5EB), ref: 00A9F283
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Time$FilePreciseSystem
              • String ID:
              • API String ID: 1802150274-0
              • Opcode ID: 1eaed247c2ff0f98af286f4437f8d3b31abd26ccf42a85c8b90bdc5619756025
              • Instruction ID: ca757cc8ed4cee6be7c361115e4bcb911f71a84874df7944dc3237922bde63f2
              • Opcode Fuzzy Hash: 1eaed247c2ff0f98af286f4437f8d3b31abd26ccf42a85c8b90bdc5619756025
              • Instruction Fuzzy Hash: 15D022327012386B8E01ABD0EC009FD7BA8CA88B90301003AE808AF218CA111C008BC4
              Function 00A4F360 Relevance: 1.5, Strings: 1, Instructions: 219COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: -
              • API String ID: 0-2547889144
              • Opcode ID: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
              • Instruction ID: 0e956080e72c6849a792ad2e0c42bce07732165d13a258eeea7d7ef3ea03e908
              • Opcode Fuzzy Hash: ffad52e287b60b8b48c8f6c01dcfbe838c716be90c45fb450b26370899277487
              • Instruction Fuzzy Hash: 3181A274911648AEEF219AB4C840BEDFFF0EF45201F1489E8E8D1E3B41D678E64AC761
              Function 00A45B20 Relevance: .8, Instructions: 759COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0c5316f1b48f63a7bb38c0e6b3ea4f58914c08cb1eb6d5d8162fff3f7cf674ca
              • Instruction ID: 15fde7e20a0e79bc80b03614ea78d0bfb18689b2cddb5506daea02242c2201b3
              • Opcode Fuzzy Hash: 0c5316f1b48f63a7bb38c0e6b3ea4f58914c08cb1eb6d5d8162fff3f7cf674ca
              • Instruction Fuzzy Hash: 523241B7F5161447DB0CCE5DDCA16EDB2E3AFD8224B1E803DA80AE3345EA79DD058684
              Function 00A4BD50 Relevance: .4, Instructions: 381COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b80b37ecb74186be8c734b10355c4c601250e8bd0ee9413014499d52b291190a
              • Instruction ID: 2e06c4fb287e1f1a6bbb2cf1e453baafada281f92d93c5c5bb79ed7e8d0ef4ff
              • Opcode Fuzzy Hash: b80b37ecb74186be8c734b10355c4c601250e8bd0ee9413014499d52b291190a
              • Instruction Fuzzy Hash: 5A024175909215CFCB09CF58D4D48F97BF1EFA9310B1A82EDD8899B366D3319980CB91
              Function 00A4E490 Relevance: .3, Instructions: 313COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7acbd11ad7c86b5b50aa6d0cc179040a8f8603e2df70251344679114ae10a6f6
              • Instruction ID: bb53ef79f4b7d904ea6e56af1f1ffb1b11eae8fa69cf39b0cb8b9feda13dd437
              • Opcode Fuzzy Hash: 7acbd11ad7c86b5b50aa6d0cc179040a8f8603e2df70251344679114ae10a6f6
              • Instruction Fuzzy Hash: 13D19D74600B418BE764CF39C490796BBE1FF98314F1486ADD4EA8B781EB74A489CB91
              Function 00A4E140 Relevance: .3, Instructions: 303COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
              • Instruction ID: 8e2e1910d687b3e6f1d42335f849a44caaf358470fbacae107b20df120014a82
              • Opcode Fuzzy Hash: 2a2e03b90355dc0d59000aeef2c7e7f9d6bd4af588e3a47cd3e57602e03e1696
              • Instruction Fuzzy Hash: 27B19035A007059FEB31CBA8CC40ABEF7F5FF84310F104A59E9A6D2690D3B1A956CB61
              Function 00A4F810 Relevance: .3, Instructions: 300COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ef7c3bc278ec1be74c412d1d410004a4df5d21a6df1fc4201c5dbd1b215ea9a0
              • Instruction ID: 6de4d2134fa202ef1083c80879a57fcce92c9125c3b7f41b9019258dac88f5b0
              • Opcode Fuzzy Hash: ef7c3bc278ec1be74c412d1d410004a4df5d21a6df1fc4201c5dbd1b215ea9a0
              • Instruction Fuzzy Hash: E9B1AD756047019FD720CF64C880A6BBBE4FFC9324F148A3DF9AA87690D774E9498B52
              Function 00AB9824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6e0110d37a832741cbfa0bcadf1ef546e35509656148e6bc427bb078400eb7b2
              • Instruction ID: 960965f7cb3ad1d35b2f818fca42f68d8df3cd5fd321e5e0147da11c08f86e45
              • Opcode Fuzzy Hash: 6e0110d37a832741cbfa0bcadf1ef546e35509656148e6bc427bb078400eb7b2
              • Instruction Fuzzy Hash: A9B13C316106089FD715CF28C486BA67BE4FF45364F29865CEAD9CF2A2C335E992CB40
              Function 009C24F0 Relevance: .2, Instructions: 221COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3370e07b085594239fe4dcb0d36e318b0f4e9fd2e356d89514dfa6b5abee0c9d
              • Instruction ID: c1aa1e538d5d432af71a43f462333d6937d7109a6521d653363e1d77928a2641
              • Opcode Fuzzy Hash: 3370e07b085594239fe4dcb0d36e318b0f4e9fd2e356d89514dfa6b5abee0c9d
              • Instruction Fuzzy Hash: 457105B4D002868FDB14CFA8C9D0BBFBBB4EB19314F04016DE85597782C7249946CBA2
              Function 00A4F600 Relevance: .2, Instructions: 190COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
              • Instruction ID: 65b28cee2eac6f6cf6d45b71861c617ca95979a339873f73637ac13b97b4d039
              • Opcode Fuzzy Hash: 41d31ba86242bfd7bd76f9ba221a1519e07e8bc4f3f0aa95c67da6b44e1bb030
              • Instruction Fuzzy Hash: 8161B535500649AFDB30CAB8CC80BEEFBF5EF85310F208AB9E595D27A0D275A685C751
              Function 00A46550 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 38fecc659fb7173984813311a39dbe0c1500e79f879aa17b4e8b06ddf9a15555
              • Instruction ID: b3b6a02b48b9e019f4b66f2e37285b5e78824acaca45cb32f50d63903aba9db2
              • Opcode Fuzzy Hash: 38fecc659fb7173984813311a39dbe0c1500e79f879aa17b4e8b06ddf9a15555
              • Instruction Fuzzy Hash: D26142356211658FD718CF9EECD04263362A78A311387425BEBD2DB3A6C735E927C7A0
              Function 009D4100 Relevance: .2, Instructions: 168COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c3fc4c93f923b7ee093d18b2828e4e4930910a31c29a76f25b759c50d02cdba6
              • Instruction ID: d128305db90ad55c247212ed0235bfffc1061fb83b45c5cdd3a9b92114c15861
              • Opcode Fuzzy Hash: c3fc4c93f923b7ee093d18b2828e4e4930910a31c29a76f25b759c50d02cdba6
              • Instruction Fuzzy Hash: C6519F71E042199FCB14DF98D981AEEBBB9FB59310F14856EE529B7340D7309E44CBA0
              Function 00AA646A Relevance: .2, Instructions: 156COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
              • Instruction ID: 4a28a0fdfff8a2d7d18b12e83f58a8fc371addf1d0c5da0fdcbb4a8e774f0e40
              • Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
              • Instruction Fuzzy Hash: 50519F72D0021AEFDF04CF99C941AEEBBB2FF89300F198458E915AB241D734AA50CF90
              Function 00A4E910 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
              • Instruction ID: f6bc399d9f530788a6568761cc8f058cb052674667ab5e4f743c8840a0175683
              • Opcode Fuzzy Hash: 854d7f0168f0dc93b040c5b83782ce3004fb363419dbd7899f20dfa3d1eb45b6
              • Instruction Fuzzy Hash: 8D316F31600B158FC365CEB9C8817A3F7E5FB89310F150A6ED6EAC7281C6B4B984CB60
              Function 00AA2CE0 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction ID: 003b696ac97f426493bf3b633655a28f95e50146494d3028ddd57524b0139d64
              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
              • Instruction Fuzzy Hash: 58113AB724018243D6148B3DD8B47B7A396EBCB32072C437AD0428B7DAD322E9759B00
              Function 009D4400 Relevance: .0, Instructions: 50COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3cfb95c149f0463e4b641523fec08800f73bcecedb22266f242cad393be72faf
              • Instruction ID: a99292ee69b1909802bc29c9ac32427a234f1a83ee70c8625d7395c9c097835b
              • Opcode Fuzzy Hash: 3cfb95c149f0463e4b641523fec08800f73bcecedb22266f242cad393be72faf
              • Instruction Fuzzy Hash: 9F015BB1915219AFDB10CFA9C8856CEFBF8EF08310F5085AAD459EB241E3756615CBA0
              Function 009D5498 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f57c5513b2a6ddb8df53c919b5ef77e69e08df4e3d3e96d3fc4e754907942400
              • Instruction ID: 9c140e5ba4993787863df00baeedee07485520a306e14e42b73f3c80de71b79b
              • Opcode Fuzzy Hash: f57c5513b2a6ddb8df53c919b5ef77e69e08df4e3d3e96d3fc4e754907942400
              • Instruction Fuzzy Hash: 1311BC30A54661CBCB2ACF08D0A0BA9B7A6AF45744B6A808ED8852F712D331AD45CB80
              Function 009D57B8 Relevance: .0, Instructions: 49COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f6a0d817ca145215bc037eb701ec72e99ba6f7c24fda562093728c0da0a65e5c
              • Instruction ID: 5422ab2fc49ce4aaa8097c66b0b5a4b598e96f49457ff7ab99f1a5dae44736f0
              • Opcode Fuzzy Hash: f6a0d817ca145215bc037eb701ec72e99ba6f7c24fda562093728c0da0a65e5c
              • Instruction Fuzzy Hash: F1118C34A546A58FCB19CF18C0A0BA9BBB5EF45B44B6A808EC8851F712D731AD45CBC0
              Function 009D4DC9 Relevance: .0, Instructions: 48COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2331c35f67e26b467e86bfc6563afaf605379b36677bac8d8242ce75225f09fc
              • Instruction ID: 75095e0fac7d13a65ddcfb9ecf5207040203e423e595e1c71bd6b0a06ca5f0c6
              • Opcode Fuzzy Hash: 2331c35f67e26b467e86bfc6563afaf605379b36677bac8d8242ce75225f09fc
              • Instruction Fuzzy Hash: 41118C30A942A58BCB29CF18C0A0B69B7A5FF54B58F29818EC8951F716D771AD05CBD0
              Function 00A27D40 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d612fa485dbe76ae60773ae33d8315ac9e875e2fc8dd6338d585fd5b0774defa
              • Instruction ID: caa63d78eb48a85fbbb348eeae26c1b3a57311cb1e6416fa854bff0ad75f471d
              • Opcode Fuzzy Hash: d612fa485dbe76ae60773ae33d8315ac9e875e2fc8dd6338d585fd5b0774defa
              • Instruction Fuzzy Hash: A5D0A73102C2B0CFC736CA3CB084BA77F844F06704F560DEDC0828B061D5A09984CB58
              Function 00A27780 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: fb43d5ebd18ffb5bfa975f8970044cafa813baba2386a534dcfbb36c7b008315
              • Instruction ID: 0efff11946dbbd271eadd0bc065218e7a7d4b4ef47abd5fcbe0ba1a1b00c80c6
              • Opcode Fuzzy Hash: fb43d5ebd18ffb5bfa975f8970044cafa813baba2386a534dcfbb36c7b008315
              • Instruction Fuzzy Hash: E3D0A73203D6B18DD32EC62CA044F877BE54F47314F160DDDC0828B051E5A0D5C9C358
              Function 00A27750 Relevance: .0, Instructions: 15COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac8b70dc6646eac00bb8f7aeb5e9057f0b1fa3d1da44066a827c1914688b07cf
              • Instruction ID: b8506684b8c3c8a260caa876a5ad72b7c0f2b98747af9bee7cbcea6493a0616b
              • Opcode Fuzzy Hash: ac8b70dc6646eac00bb8f7aeb5e9057f0b1fa3d1da44066a827c1914688b07cf
              • Instruction Fuzzy Hash: 02D0A73142C2B5CEC326C66CE084F877F954F02704F168CDDC0A28B155D5E0D984C354
              Function 00A29610 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f4a58f2acd26a6c84f23a47943215d251ee13493331cefdf2c4a931ee6dde283
              • Instruction ID: 591873e76c15250dd7f66a3d6dd1ebf7148b6181fd2a528ca3b93750cf485b30
              • Opcode Fuzzy Hash: f4a58f2acd26a6c84f23a47943215d251ee13493331cefdf2c4a931ee6dde283
              • Instruction Fuzzy Hash: 2EC012705041204BD738DF1CF581857B3E6AF58700724893DE48B43700E672ED0087C0
              Function 00A2F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00A2F833
              • std::_Lockit::_Lockit.LIBCPMT ref: 00A2F855
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2F875
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2F89F
              • std::_Lockit::_Lockit.LIBCPMT ref: 00A2F90D
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A2F959
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A2F973
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2FA08
              • std::_Facet_Register.LIBCPMT ref: 00A2FA15
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
              • String ID: bad locale name$Ps
              • API String ID: 3375549084-1174896957
              • Opcode ID: 24f8065e3276e726b2f2d9852d9d5499441cbd6f8cba0bea55dc8b835542a960
              • Instruction ID: ed83f6d83be1484a9cdd97d6e2187eb829230704d137e6e428f497e75d44cccf
              • Opcode Fuzzy Hash: 24f8065e3276e726b2f2d9852d9d5499441cbd6f8cba0bea55dc8b835542a960
              • Instruction Fuzzy Hash: 2761BEB1E00218AFEF10DFA8E945B9EBBF4AF14310F144179E845AB381E734E945CBA1
              Function 009C8D70 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 311libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(F8F7E6FF,?,?,00AF56BC), ref: 009C8E0E
              • GetProcAddress.KERNEL32(00000000,E1D7E6DF), ref: 009C8E1B
              • GetModuleHandleA.KERNEL32(F8F7E6FF), ref: 009C8E85
              • GetProcAddress.KERNEL32(00000000,E1C2E6DF), ref: 009C8E8C
              • CloseHandle.KERNEL32(00000000), ref: 009C9092
              • CloseHandle.KERNEL32(00000000), ref: 009C90F4
              • CloseHandle.KERNEL32(00000000), ref: 009C9121
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Handle$Close$AddressModuleProc
              • String ID: File
              • API String ID: 4110381430-749574446
              • Opcode ID: e6475d13040ce0bd52e2f3e7b80cfa002a916f00afb479ebae065a83fc6a3c61
              • Instruction ID: 350783dd0a0a5413c2846b30d5bd7d7c3cdfc4a3425abbc30557ce1b812426bd
              • Opcode Fuzzy Hash: e6475d13040ce0bd52e2f3e7b80cfa002a916f00afb479ebae065a83fc6a3c61
              • Instruction Fuzzy Hash: 0CC19F70D002599AEF24DFA4CC89FAEBBB9FF05700F10006DE945BB282DB755A45CB66
              Function 009C39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 009C3A58
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009C3AA4
              • __Getctype.LIBCPMT ref: 009C3ABA
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009C3AE6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 009C3B7B
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
              • String ID: bad locale name
              • API String ID: 1840309910-1405518554
              • Opcode ID: 90adbe9142e9df638bf3553c594e4e83ef3b801379eb8a4a9b2aa8b8cb42d711
              • Instruction ID: 61255acf1cc1f56f8c0a98b6269f020cb307c281b61a7b2ef8b784c5a42e4715
              • Opcode Fuzzy Hash: 90adbe9142e9df638bf3553c594e4e83ef3b801379eb8a4a9b2aa8b8cb42d711
              • Instruction Fuzzy Hash: 5D515FB1D002489FEF10DFA4D945F9EBBF8AF14314F148069E849AB781E774DA04CBA2
              Function 009CB1A0 Relevance: 10.6, APIs: 7, Instructions: 133memoryCOMMON
              Download Yara Rule
              APIs
              • LocalAlloc.KERNEL32(00000040,0000001C), ref: 009CB1F0
              • LocalAlloc.KERNEL32(00000040,0000001C,?,00000000,00000000), ref: 009CB239
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,?,00000000), ref: 009CB26D
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,?,00000000,00000000), ref: 009CB28F
              • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000), ref: 009CB2C0
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 009CB2C5
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 009CB2C8
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Local$Free$AllocDetailDeviceInterfaceSetup
              • String ID:
              • API String ID: 4232148138-0
              • Opcode ID: cd5fbd4182010f0270cd0c67f3251f2eddb727287ca5bf084d31d5c58ac870d3
              • Instruction ID: 7aac87a8e44867703180e4244665fea071dab57cce8fdb08e4b8e789fecac15d
              • Opcode Fuzzy Hash: cd5fbd4182010f0270cd0c67f3251f2eddb727287ca5bf084d31d5c58ac870d3
              • Instruction Fuzzy Hash: 74413BB1A40309AFDB20DFA9DC41FAEBBF8EB48700F10452AE559E7690E770A9008B50
              Function 00AA2E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 00AA2E47
              • ___except_validate_context_record.LIBVCRUNTIME ref: 00AA2E4F
              • _ValidateLocalCookies.LIBCMT ref: 00AA2ED8
              • __IsNonwritableInCurrentImage.LIBCMT ref: 00AA2F03
              • _ValidateLocalCookies.LIBCMT ref: 00AA2F58
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: csm
              • API String ID: 1170836740-1018135373
              • Opcode ID: ca29cbf8827e9503852bde6caaf484bc032b7932ed791e2701062f7f059fd8c0
              • Instruction ID: fd7b8abf0c968b9babfae096ae2468c4b8873482e75afdaa0786398559529ab8
              • Opcode Fuzzy Hash: ca29cbf8827e9503852bde6caaf484bc032b7932ed791e2701062f7f059fd8c0
              • Instruction Fuzzy Hash: 09417F31A00209ABCF20DF6CC885B9EBBB5AF46314F148056E9149B392D735DA65CB91
              Function 00AAD513 Relevance: 9.3, APIs: 6, Instructions: 285COMMON
              Download Yara Rule
              APIs
              • __allrem.LIBCMT ref: 00AAD69B
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AAD6B7
              • __allrem.LIBCMT ref: 00AAD6CE
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AAD6EC
              • __allrem.LIBCMT ref: 00AAD703
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AAD721
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
              • String ID:
              • API String ID: 1992179935-0
              • Opcode ID: 7222d4fbd83bf911f66e88245ad854337fd27cd591c1530f5d5dc897f2461532
              • Instruction ID: cae471c0baa3f19cc566ca1c98ae199ae2d9bed1089185d6cf78a316595a8a06
              • Opcode Fuzzy Hash: 7222d4fbd83bf911f66e88245ad854337fd27cd591c1530f5d5dc897f2461532
              • Instruction Fuzzy Hash: 588119B2A007029FD724AF69DD41BAA73F8AF46724F24462DF492D7AC1E770DD008790
              Function 00A2DE70 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00A2DE93
              • std::_Lockit::_Lockit.LIBCPMT ref: 00A2DEB6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2DED6
              • std::_Facet_Register.LIBCPMT ref: 00A2DF4B
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00A2DF63
              • Concurrency::cancel_current_task.LIBCPMT ref: 00A2DF7B
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
              • String ID:
              • API String ID: 2081738530-0
              • Opcode ID: a0f3e9ef86c002a9add5eaa1130c7e8f74dedf9a4c5a3d6d92524176236157a1
              • Instruction ID: 9b8b9adc8b1e9f7e6ad08a802556f9d7f4dbac9138580d8e33090e3533936f97
              • Opcode Fuzzy Hash: a0f3e9ef86c002a9add5eaa1130c7e8f74dedf9a4c5a3d6d92524176236157a1
              • Instruction Fuzzy Hash: 5C31C171900229DFCF14DF88EA84BAEBBB4FB14720F154669E8166B352D730AD41CBD1
              Function 009CA750 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: \*.*
              • API String ID: 0-1173974218
              • Opcode ID: 813d821ce4e2ebc8db89ba2d049c62791bd1c7604c23707322e538a7847ee878
              • Instruction ID: 044ebf13ab62c38ae528651548f72d858b182bcea8f2b4a57a316965e3d184cb
              • Opcode Fuzzy Hash: 813d821ce4e2ebc8db89ba2d049c62791bd1c7604c23707322e538a7847ee878
              • Instruction Fuzzy Hash: FFA1AF70D0020D9FEB18CFA8C994BAEBBB6FF49314F14452DE415E7281E7709A85CB62
              Function 009C4C50 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 345COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 009C4F72
              • ___std_exception_destroy.LIBVCRUNTIME ref: 009C4FFF
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: ", "$: "
              • API String ID: 4194217158-747220369
              • Opcode ID: e62367fa68f1cad6f44248a712fadc50b97d5ec38decb085fc230fdb6b5e22d1
              • Instruction ID: f9e1b5431efddf78f8481623f2bccfdb4c233301307c9cd8d86c509abc9c8728
              • Opcode Fuzzy Hash: e62367fa68f1cad6f44248a712fadc50b97d5ec38decb085fc230fdb6b5e22d1
              • Instruction Fuzzy Hash: FCC10370A002058FDB28DF68D995BAEBBF9FF48300F144A2DE456D7781D774A944CBA2
              Function 009C7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 009C799A
              • ___std_exception_copy.LIBVCRUNTIME ref: 009C7B75
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: out_of_range$type_error
              • API String ID: 2659868963-3702451861
              • Opcode ID: f29991a06176524f16f2f42f00eb5f2d7dfa9a0116bc8a97da41d1aea0d01e5a
              • Instruction ID: 7ac29c904edc8ee8218029b697d2029ea188a39c631ab31421e3884e1de5eae5
              • Opcode Fuzzy Hash: f29991a06176524f16f2f42f00eb5f2d7dfa9a0116bc8a97da41d1aea0d01e5a
              • Instruction Fuzzy Hash: 07C148B1D002499FDB18CFA8D984B9DFBF5BB49300F14866DE419EB781E774A9808F61
              Function 009C73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 009C75BE
              • ___std_exception_destroy.LIBVCRUNTIME ref: 009C75CD
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: at line $, column
              • API String ID: 4194217158-191570568
              • Opcode ID: 876e729e89ba6dadaf9b6b5ea81c2aadd50618eca61cae4c60219a63d4371c11
              • Instruction ID: 32f2780b72dbac9eedf283c677d1ce465f2b83d4e8cf726f43a00407b1619a73
              • Opcode Fuzzy Hash: 876e729e89ba6dadaf9b6b5ea81c2aadd50618eca61cae4c60219a63d4371c11
              • Instruction Fuzzy Hash: 3661B071A042499FDB08CFA8DD85BADFBB6BF49300F24862CF415A7781D774AA408F91
              Function 009CAF30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • GetSystemMetrics.USER32(00000001), ref: 009CAF8A
              • GetSystemMetrics.USER32(00000000), ref: 009CAF90
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: MetricsSystem
              • String ID: d$image/png
              • API String ID: 4116985748-2616758285
              • Opcode ID: 4db8ae20dfab8ef9deec74ead6528d67749349af697ef3d1e7b72843017146e2
              • Instruction ID: c9fb92741acc827a03342cfaf4c2819221cccaec6e8b7cd8574e48eaa45f1036
              • Opcode Fuzzy Hash: 4db8ae20dfab8ef9deec74ead6528d67749349af697ef3d1e7b72843017146e2
              • Instruction Fuzzy Hash: C0517AB1508301AFD710DF20C895F6BBBE8EB89744F000D1EF994A7250E772E905CBA2
              Function 009C3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 009C3E7F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2659868963-1866435925
              • Opcode ID: 546e9a63af0de62eab1cc79b9343db11f02d44352cfd7fb05ebbd2e98f4edec0
              • Instruction ID: f5765af90b11914270f6d3465d0f24e1598188700af7d5e215f6320b08312172
              • Opcode Fuzzy Hash: 546e9a63af0de62eab1cc79b9343db11f02d44352cfd7fb05ebbd2e98f4edec0
              • Instruction Fuzzy Hash: 854192B6900209AFCB14DF68C845FAEB7F9EB49310F14C52EF915D7681E774AA018BA1
              Function 009C3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 009C3E7F
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2659868963-1866435925
              • Opcode ID: 69e19507b5a5eaabf39232ddd45e8ff65c074aadf8f444aed648256a4a6374a7
              • Instruction ID: 23c59d04807394255b18ddae8d1deeb048bd1d8c7cfc3a4400bad8c4d54a8423
              • Opcode Fuzzy Hash: 69e19507b5a5eaabf39232ddd45e8ff65c074aadf8f444aed648256a4a6374a7
              • Instruction Fuzzy Hash: 8721E7B29043056FC714DF59D805F96B7ECAB45310F18C82EFA69CB682E774EA14CB92
              Function 009D3AA0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
              Download Yara Rule
              Strings
              • abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 009D3BBB
              • \, xrefs: 009D3BF8
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: \$abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ
              • API String ID: 0-680898115
              • Opcode ID: 37631ef4d8250325de53978807fb27133bf07d1ec4bde8e6db9d2182334c184e
              • Instruction ID: 64d5c15c0d9e4d7882ff17c605a4205523ae6d92d5692fa93030c1b09421fe0b
              • Opcode Fuzzy Hash: 37631ef4d8250325de53978807fb27133bf07d1ec4bde8e6db9d2182334c184e
              • Instruction Fuzzy Hash: D3E1A071E002499FDB08CFA8C985BADBBB5FF49300F14C269E415EB382D7759A45CBA1
              Function 009CD8B9 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 377COMMON
              Download Yara Rule
              APIs
              • Process32Next.KERNEL32(00000000,00000128), ref: 009CDAB0
              • Process32Next.KERNEL32(00000000,?), ref: 009CDAF8
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: NextProcess32
              • String ID: ?
              • API String ID: 1850201408-1684325040
              • Opcode ID: d7a67a39b0a0fe75d966cedea33b1570e93b242abf7c3f65326e5e42d6d973de
              • Instruction ID: ef2a5fa2171515e7788a51c46048d3c934ab6e8c43012379ef09273275f83d14
              • Opcode Fuzzy Hash: d7a67a39b0a0fe75d966cedea33b1570e93b242abf7c3f65326e5e42d6d973de
              • Instruction Fuzzy Hash: 42F14BB1D0122D9AEB21EB94CC55FEEB7BCAF15300F4044E9E549A6241EB745B88CF62
              Function 009C6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 009C7340
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: parse error$parse_error
              • API String ID: 2659868963-1820534363
              • Opcode ID: 442b214b4b6c3b93308ea671eac00079ef2ea1cd49e70796cb7cb7512d836b55
              • Instruction ID: 12b0a1bf1f2bcde42a1f61b3ed951e9846bb13fb2241a67217cd27a705f606a1
              • Opcode Fuzzy Hash: 442b214b4b6c3b93308ea671eac00079ef2ea1cd49e70796cb7cb7512d836b55
              • Instruction Fuzzy Hash: 92E16E70E042498FDB18CFA8D985B9DBBB1BF49300F24826DE419EB792D7749A81CF51
              Function 009C6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 009C6F11
              • ___std_exception_destroy.LIBVCRUNTIME ref: 009C6F20
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2907236987.00000000009C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
              • Associated: 00000000.00000002.2907152157.00000000009C0000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907236987.0000000000AF3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907593962.0000000000AF8000.00000008.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907655683.0000000000AFB000.00000004.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907713977.0000000000AFC000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2907782154.0000000000B08000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908128735.0000000000C69000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908181660.0000000000C6B000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C80000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908269198.0000000000C8E000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908408329.0000000000C93000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908468824.0000000000C95000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908578978.0000000000CBC000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908644702.0000000000CBD000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908704151.0000000000CC7000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908765437.0000000000CD3000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908833171.0000000000CED000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000CF0000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D2D000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2908891317.0000000000D31000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909137887.0000000000D5B000.00000040.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D5C000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909205888.0000000000D62000.00000080.00000001.01000000.00000003.sdmpDownload File
              • Associated: 00000000.00000002.2909349437.0000000000D72000.00000040.00000001.01000000.00000003.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_9c0000_LisectAVT_2403002A_151.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: [json.exception.
              • API String ID: 4194217158-791563284
              • Opcode ID: 9a11cf9fb6a63a5d0d2191fcca3b3c22088b25337c710fed1ed18abeead37389
              • Instruction ID: 07967f29ce5dd3890ef4cf4ad9b18f9bf79730aaa674a1c4a5191a3a7b9aadb3
              • Opcode Fuzzy Hash: 9a11cf9fb6a63a5d0d2191fcca3b3c22088b25337c710fed1ed18abeead37389
              • Instruction Fuzzy Hash: 2E91C070E002099FDB18CF68D984B9EBBF6EF45300F20862DE415EB792D771A941CB51

              Execution Graph

              Execution Coverage:3.2%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:660
              Total number of Limit Nodes:82
              execution_graph 30079 5f8c58 7 API calls 2 library calls 30429 5e1050 RtlAllocateHeap RtlAllocateHeap 30493 5f9f50 5 API calls 4 library calls 30501 5e2160 RtlAllocateHeap std::ios_base::_Ios_base_dtor ___std_exception_destroy 30443 5e1000 RtlAllocateHeap RtlAllocateHeap RtlAllocateHeap std::_Facet_Register 30511 5f4100 GetPEB RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor __fread_nolock 29600 5f7e3e 29743 6520e0 29600->29743 29602 5f7e5c 29603 6520e0 2 API calls 29602->29603 29604 5f7ed7 29603->29604 29605 6520e0 2 API calls 29604->29605 29606 5f7f4f __fread_nolock 29605->29606 29758 5e2ae0 29606->29758 29608 5f7fcc __fread_nolock 29609 5f7ff4 GetUserNameA 29608->29609 29610 5f8028 29609->29610 29611 5e2ae0 2 API calls 29610->29611 29615 5f85ae std::ios_base::_Ios_base_dtor 29610->29615 29612 5f808b 29611->29612 29774 64a480 29612->29774 29614 5f80a8 29617 5f80d1 std::locale::_Init 29614->29617 29831 6506c0 2 API calls 4 library calls 29614->29831 29619 5e2ae0 2 API calls 29615->29619 29742 5f987f std::ios_base::_Ios_base_dtor 29615->29742 29779 6be812 29617->29779 29621 5f8676 29619->29621 29627 64a480 2 API calls 29621->29627 29622 5e2ae0 2 API calls 29637 5f99c6 29622->29637 29623 5f9dc6 29842 6be4bb 6 API calls std::locale::_Setgloballocale 29623->29842 29624 5f8140 29633 5f815b GetFileAttributesA 29624->29633 29643 5f8167 __Mtx_unlock 29624->29643 29625 6c47b0 RtlAllocateHeap 29641 5f9e22 29625->29641 29626 5f9c97 std::ios_base::_Ios_base_dtor 29626->29625 29628 5f9d9c std::ios_base::_Ios_base_dtor 29626->29628 29636 5f8693 std::locale::_Init 29627->29636 29630 5f9dcc 29843 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29630->29843 29632 5f9dd1 29844 6c47b0 29632->29844 29633->29643 29635 5f9dd6 29638 6c47b0 RtlAllocateHeap 29635->29638 29648 6be812 GetSystemTimePreciseAsFileTime 29636->29648 29639 5f9a3e 29637->29639 29640 5f9e09 29637->29640 29642 5f9ddb 29638->29642 29646 6520e0 2 API calls 29639->29646 29849 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29640->29849 29645 6c47b0 RtlAllocateHeap 29642->29645 29643->29630 29656 5f81fa 29643->29656 29689 5f8573 std::ios_base::_Ios_base_dtor 29643->29689 29650 5f9de0 29645->29650 29652 5f9a6a 29646->29652 29647 5f9e0e 29649 6c47b0 RtlAllocateHeap 29647->29649 29651 5f8721 29648->29651 29699 5f9c30 29649->29699 29847 6be4bb 6 API calls std::locale::_Setgloballocale 29650->29847 29651->29650 29655 5f872c 29651->29655 29654 64a480 2 API calls 29652->29654 29659 5f9a7d 29654->29659 29667 5f874f GetFileAttributesA 29655->29667 29673 5f875b __Mtx_unlock 29655->29673 29662 6520e0 2 API calls 29656->29662 29657 6c47b0 RtlAllocateHeap 29700 5f9c5d std::ios_base::_Ios_base_dtor 29657->29700 29658 5f9de6 29660 6c47b0 RtlAllocateHeap 29658->29660 29808 64a4f0 29659->29808 29664 5f9deb 29660->29664 29665 5f8222 29662->29665 29663 6c47b0 RtlAllocateHeap 29663->29626 29848 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29664->29848 29668 5f824f std::locale::_Init 29665->29668 29832 6506c0 2 API calls 4 library calls 29665->29832 29667->29673 29680 5f8775 __Mtx_unlock 29667->29680 29676 64a480 2 API calls 29668->29676 29669 5f9df0 29671 6c47b0 RtlAllocateHeap 29669->29671 29671->29640 29672 5f9adb std::ios_base::_Ios_base_dtor 29672->29647 29675 5f9b4d std::ios_base::_Ios_base_dtor 29672->29675 29674 5e2ae0 2 API calls 29673->29674 29673->29680 29674->29680 29813 6c5362 29675->29813 29682 5f830a std::ios_base::_Ios_base_dtor 29676->29682 29680->29658 29685 5f87cd std::ios_base::_Ios_base_dtor 29680->29685 29681 5f83e2 std::ios_base::_Ios_base_dtor 29782 64a770 29681->29782 29682->29632 29682->29681 29684 5f840c 29799 5ea600 29684->29799 29685->29664 29685->29685 29687 5f88be 29685->29687 29685->29742 29688 6520e0 2 API calls 29687->29688 29690 5f88e6 29688->29690 29689->29615 29689->29642 29692 5f890d std::locale::_Init 29690->29692 29833 6506c0 2 API calls 4 library calls 29690->29833 29691 5f9ba3 29819 6cd168 29691->29819 29698 64a480 2 API calls 29692->29698 29695 5f8411 29695->29635 29695->29689 29695->29695 29702 5f89a7 std::ios_base::_Ios_base_dtor 29698->29702 29699->29657 29699->29700 29700->29626 29700->29663 29701 5f8a8d std::ios_base::_Ios_base_dtor 29703 64a770 2 API calls 29701->29703 29702->29669 29702->29701 29704 5f8aba 29703->29704 29705 5ea600 5 API calls 29704->29705 29706 5f8abf 29705->29706 29706->29706 29707 5e2ae0 2 API calls 29706->29707 29706->29742 29708 5f8c04 29707->29708 29834 64e530 RtlAllocateHeap RtlAllocateHeap std::locale::_Init 29708->29834 29710 5f8c90 29711 64a480 2 API calls 29710->29711 29712 5f8ca2 29711->29712 29713 5f8d43 std::locale::_Init 29712->29713 29835 6506c0 2 API calls 4 library calls 29712->29835 29715 64a480 2 API calls 29713->29715 29716 5f8e17 29715->29716 29717 5f8eb2 std::locale::_Init 29716->29717 29836 6506c0 2 API calls 4 library calls 29716->29836 29719 64a480 2 API calls 29717->29719 29721 5f8f88 std::ios_base::_Ios_base_dtor 29719->29721 29720 64a770 2 API calls 29722 5f91fc 29720->29722 29721->29720 29837 5f5b90 7 API calls 3 library calls 29722->29837 29724 5f9203 29725 5e2ae0 2 API calls 29724->29725 29726 5f9313 29725->29726 29838 64e530 RtlAllocateHeap RtlAllocateHeap std::locale::_Init 29726->29838 29728 5f9395 29729 64a480 2 API calls 29728->29729 29730 5f93a7 29729->29730 29731 5f941e std::locale::_Init 29730->29731 29839 6506c0 2 API calls 4 library calls 29730->29839 29733 64a480 2 API calls 29731->29733 29734 5f94bc 29733->29734 29735 5f9557 std::locale::_Init 29734->29735 29840 6506c0 2 API calls 4 library calls 29734->29840 29737 64a480 2 API calls 29735->29737 29738 5f9627 std::ios_base::_Ios_base_dtor 29737->29738 29739 64a770 2 API calls 29738->29739 29740 5f9878 29739->29740 29841 5f5b90 7 API calls 3 library calls 29740->29841 29742->29622 29742->29626 29744 652112 29743->29744 29749 65213d std::locale::_Init 29743->29749 29745 65211f 29744->29745 29747 652162 29744->29747 29748 65216b 29744->29748 29850 6bf290 29745->29850 29747->29745 29750 6521bc 29747->29750 29748->29749 29753 6bf290 std::_Facet_Register 2 API calls 29748->29753 29749->29602 29858 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 29750->29858 29751 652132 29751->29749 29754 6c47b0 RtlAllocateHeap 29751->29754 29753->29749 29755 6521c6 29754->29755 29859 6cd7d6 RtlAllocateHeap ___std_exception_copy 29755->29859 29757 6521e4 std::ios_base::_Ios_base_dtor 29757->29602 29759 5e2ba5 29758->29759 29763 5e2af6 29758->29763 29868 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29759->29868 29761 5e2b02 std::locale::_Init 29761->29608 29762 5e2b2a 29769 6bf290 std::_Facet_Register 2 API calls 29762->29769 29763->29761 29763->29762 29767 5e2b6e 29763->29767 29768 5e2b65 29763->29768 29764 5e2baa 29869 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 29764->29869 29766 5e2b3d 29770 6c47b0 RtlAllocateHeap 29766->29770 29773 5e2b46 std::locale::_Init 29766->29773 29772 6bf290 std::_Facet_Register 2 API calls 29767->29772 29767->29773 29768->29762 29768->29764 29769->29766 29771 5e2bb4 29770->29771 29772->29773 29773->29608 29775 64a490 29774->29775 29775->29775 29777 64a4a7 std::locale::_Init 29775->29777 29870 6506c0 2 API calls 4 library calls 29775->29870 29777->29614 29778 64a4e2 29778->29614 29871 6be5ec 29779->29871 29781 5f8135 29781->29623 29781->29624 29783 64a799 29782->29783 29784 64a851 29783->29784 29790 64a7aa 29783->29790 29879 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29784->29879 29785 64a7b6 std::locale::_Init 29785->29684 29787 64a7db 29793 6bf290 std::_Facet_Register 2 API calls 29787->29793 29788 64a856 29880 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 29788->29880 29790->29785 29790->29787 29791 64a814 29790->29791 29792 64a81d 29790->29792 29791->29787 29791->29788 29797 6bf290 std::_Facet_Register 2 API calls 29792->29797 29798 64a7f5 std::locale::_Init 29792->29798 29794 64a7ee 29793->29794 29795 6c47b0 RtlAllocateHeap 29794->29795 29794->29798 29796 64a860 29795->29796 29796->29684 29797->29798 29798->29684 29800 5ea610 29799->29800 29800->29800 29801 6c5362 RtlAllocateHeap 29800->29801 29802 5ea638 29801->29802 29803 6c8be8 5 API calls 29802->29803 29805 5ea645 29802->29805 29803->29805 29804 5ea674 std::ios_base::_Ios_base_dtor 29804->29695 29805->29804 29806 6c47b0 RtlAllocateHeap 29805->29806 29807 5ea68a 29806->29807 29809 64a504 29808->29809 29812 64a514 std::locale::_Init 29809->29812 29881 6506c0 2 API calls 4 library calls 29809->29881 29811 64a55a 29811->29672 29812->29672 29882 6c52a0 29813->29882 29815 5f9b91 29815->29700 29816 5f40e0 29815->29816 29915 6bec6a 29816->29915 29818 5f40eb __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 29818->29691 29820 6cd17b ___std_exception_copy 29819->29820 29922 6ccf4a 29820->29922 29822 6cd190 29930 6c44dc 29822->29930 29825 6c8be8 29826 6c8bfb ___std_exception_copy 29825->29826 29940 6c8ac3 29826->29940 29828 6c8c07 29829 6c44dc ___std_exception_copy RtlAllocateHeap 29828->29829 29830 6c8c13 29829->29830 29830->29699 29831->29617 29832->29668 29833->29692 29834->29710 29835->29713 29836->29717 29837->29724 29838->29728 29839->29731 29840->29735 29841->29742 29843->29632 30077 6c46ec RtlAllocateHeap ___std_exception_copy 29844->30077 29846 6c47bf __Getctype 29848->29669 29849->29647 29853 6bf295 std::_Facet_Register 29850->29853 29852 6bf2af 29852->29751 29853->29852 29855 5e21d0 Concurrency::cancel_current_task 29853->29855 29860 6cdf2c 29853->29860 29854 6bf2bb 29854->29854 29855->29854 29866 6c0651 RtlAllocateHeap RtlAllocateHeap ___std_exception_copy 29855->29866 29857 5e2213 29857->29751 29858->29751 29859->29757 29865 6d6e2d __Getctype std::_Facet_Register 29860->29865 29861 6d6e6b 29867 6cd23f RtlAllocateHeap __dosmaperr 29861->29867 29863 6d6e56 RtlAllocateHeap 29864 6d6e69 29863->29864 29863->29865 29864->29853 29865->29861 29865->29863 29866->29857 29867->29864 29868->29764 29869->29766 29870->29778 29872 6be64e 29871->29872 29874 6be614 _ValidateLocalCookies 29871->29874 29872->29874 29877 6bec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 29872->29877 29874->29781 29875 6be6a4 __Xtime_diff_to_millis2 29875->29874 29878 6bec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 29875->29878 29877->29875 29878->29875 29879->29788 29880->29794 29881->29811 29885 6c52ac __fread_nolock 29882->29885 29883 6c52b3 29900 6cd23f RtlAllocateHeap __dosmaperr 29883->29900 29885->29883 29887 6c52d3 29885->29887 29886 6c52b8 29901 6c47a0 RtlAllocateHeap ___std_exception_copy 29886->29901 29889 6c52d8 29887->29889 29890 6c52e5 29887->29890 29902 6cd23f RtlAllocateHeap __dosmaperr 29889->29902 29896 6d6688 29890->29896 29893 6c52ee 29895 6c52c3 29893->29895 29903 6cd23f RtlAllocateHeap __dosmaperr 29893->29903 29895->29815 29897 6d6694 __fread_nolock std::_Lockit::_Lockit 29896->29897 29904 6d672c 29897->29904 29899 6d66af 29899->29893 29900->29886 29901->29895 29902->29895 29903->29895 29909 6d674f __fread_nolock 29904->29909 29905 6d6795 __fread_nolock 29905->29899 29907 6d67b0 29914 6d6db3 RtlAllocateHeap __dosmaperr 29907->29914 29909->29905 29909->29909 29910 6d63f3 29909->29910 29911 6d6400 __Getctype std::_Facet_Register 29910->29911 29912 6d642b RtlAllocateHeap 29911->29912 29913 6d643e __dosmaperr 29911->29913 29912->29911 29912->29913 29913->29907 29914->29905 29918 6bf26a 29915->29918 29919 6bf27b GetSystemTimePreciseAsFileTime 29918->29919 29920 6bec78 29918->29920 29919->29920 29920->29818 29923 6ccf58 29922->29923 29924 6ccf80 29922->29924 29923->29924 29925 6ccf65 29923->29925 29926 6ccf87 29923->29926 29924->29822 29936 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 29925->29936 29937 6ccea3 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap __fread_nolock 29926->29937 29929 6ccfbf 29929->29822 29931 6c44e8 29930->29931 29933 6c44ff 29931->29933 29938 6c4587 RtlAllocateHeap ___std_exception_copy __Getctype 29931->29938 29934 5f9c2a 29933->29934 29939 6c4587 RtlAllocateHeap ___std_exception_copy __Getctype 29933->29939 29934->29825 29936->29924 29937->29929 29938->29933 29939->29934 29941 6c8acf __fread_nolock 29940->29941 29942 6c8ad9 29941->29942 29945 6c8afc __fread_nolock 29941->29945 29961 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 29942->29961 29944 6c8af4 29944->29828 29945->29944 29947 6c8b5a 29945->29947 29948 6c8b8a 29947->29948 29949 6c8b67 29947->29949 29959 6c8b82 29948->29959 29962 6c55d3 29948->29962 29986 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 29949->29986 29956 6c8bb6 29979 6d4a3f 29956->29979 29959->29944 29961->29944 29963 6c55ec 29962->29963 29967 6c5613 29962->29967 29964 6d5f82 __fread_nolock RtlAllocateHeap 29963->29964 29963->29967 29965 6c5608 29964->29965 29988 6d538b 29965->29988 29968 6d6ded 29967->29968 29969 6c8baa 29968->29969 29970 6d6e04 29968->29970 29972 6d5f82 29969->29972 29970->29969 30056 6d6db3 RtlAllocateHeap __dosmaperr 29970->30056 29973 6d5f8e 29972->29973 29974 6d5fa3 29972->29974 30057 6cd23f RtlAllocateHeap __dosmaperr 29973->30057 29974->29956 29976 6d5f93 30058 6c47a0 RtlAllocateHeap ___std_exception_copy 29976->30058 29978 6d5f9e 29978->29956 29980 6d4a68 29979->29980 29983 6c8bbd 29979->29983 29981 6d4ab7 29980->29981 29984 6d4a8f 29980->29984 30063 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 29981->30063 29983->29959 29987 6d6db3 RtlAllocateHeap __dosmaperr 29983->29987 30059 6d49ae 29984->30059 29986->29959 29987->29959 29990 6d5397 __fread_nolock 29988->29990 29989 6d539f 29989->29967 29990->29989 29991 6d53d8 29990->29991 29993 6d541e 29990->29993 30009 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 29991->30009 29993->29989 29995 6d549c 29993->29995 29996 6d54c4 29995->29996 30008 6d54e7 __fread_nolock 29995->30008 29997 6d54c8 29996->29997 29999 6d5523 29996->29999 30015 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 29997->30015 30000 6d5541 29999->30000 30016 6ce17d 29999->30016 30010 6d4fe1 30000->30010 30004 6d5559 30004->30008 30019 6d4bb2 RtlAllocateHeap RtlAllocateHeap std::locale::_Init std::_Locinfo::_Locinfo_ctor _ValidateLocalCookies 30004->30019 30005 6d55a0 30006 6d5609 WriteFile 30005->30006 30005->30008 30006->30008 30008->29989 30009->29989 30020 6e0d44 30010->30020 30012 6d4ff3 30014 6d5021 30012->30014 30029 6c9d10 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_ctor ___std_exception_copy 30012->30029 30014->30004 30014->30005 30015->30008 30033 6ce05c 30016->30033 30018 6ce196 30018->30000 30019->30008 30021 6e0d5e 30020->30021 30022 6e0d51 30020->30022 30025 6e0d6a 30021->30025 30031 6cd23f RtlAllocateHeap __dosmaperr 30021->30031 30030 6cd23f RtlAllocateHeap __dosmaperr 30022->30030 30024 6e0d56 30024->30012 30025->30012 30027 6e0d8b 30032 6c47a0 RtlAllocateHeap ___std_exception_copy 30027->30032 30029->30014 30030->30024 30031->30027 30032->30024 30038 6da6de 30033->30038 30035 6ce06e 30036 6ce08a SetFilePointerEx 30035->30036 30037 6ce076 __fread_nolock 30035->30037 30036->30037 30037->30018 30039 6da6eb 30038->30039 30040 6da700 30038->30040 30051 6cd22c RtlAllocateHeap __dosmaperr 30039->30051 30044 6da725 30040->30044 30053 6cd22c RtlAllocateHeap __dosmaperr 30040->30053 30043 6da6f0 30052 6cd23f RtlAllocateHeap __dosmaperr 30043->30052 30044->30035 30045 6da730 30054 6cd23f RtlAllocateHeap __dosmaperr 30045->30054 30048 6da738 30055 6c47a0 RtlAllocateHeap ___std_exception_copy 30048->30055 30049 6da6f8 30049->30035 30051->30043 30052->30049 30053->30045 30054->30048 30055->30049 30056->29969 30057->29976 30058->29978 30060 6d49ba __fread_nolock 30059->30060 30062 6d49f9 30060->30062 30064 6d4b12 30060->30064 30062->29983 30063->29983 30065 6da6de __fread_nolock RtlAllocateHeap 30064->30065 30068 6d4b22 30065->30068 30066 6d4b28 30076 6da64d RtlAllocateHeap __dosmaperr 30066->30076 30068->30066 30069 6d4b5a 30068->30069 30070 6da6de __fread_nolock RtlAllocateHeap 30068->30070 30069->30066 30071 6da6de __fread_nolock RtlAllocateHeap 30069->30071 30072 6d4b51 30070->30072 30073 6d4b66 FindCloseChangeNotification 30071->30073 30074 6da6de __fread_nolock RtlAllocateHeap 30072->30074 30073->30066 30074->30069 30075 6d4b80 __fread_nolock 30075->30062 30076->30075 30077->29846 30450 5ec430 22 API calls __fread_nolock 30513 5eaf30 GetSystemMetrics GetSystemMetrics RtlAllocateHeap RtlAllocateHeap ___std_exception_copy 30515 5e972e 9 API calls std::ios_base::_Ios_base_dtor 30527 5f4dc9 11 API calls 30533 5f03fa 12 API calls 2 library calls 30468 5f48e0 16 API calls 30469 5f5498 GetPEB GetPEB GetPEB GetPEB GetPEB 30080 5ea090 30081 6bf290 std::_Facet_Register 2 API calls 30080->30081 30082 5ea0c8 30081->30082 30083 5e2ae0 2 API calls 30082->30083 30084 5ea10b 30083->30084 30084->30084 30085 6c5362 RtlAllocateHeap 30084->30085 30086 5ea157 30085->30086 30088 6c9136 4 API calls 30086->30088 30090 5ea1c1 30086->30090 30087 5ea1ea std::ios_base::_Ios_base_dtor 30089 5ea16a 30088->30089 30091 6c4eeb 2 API calls 30089->30091 30090->30087 30093 6c47b0 RtlAllocateHeap 30090->30093 30092 5ea170 30091->30092 30094 6c9136 4 API calls 30092->30094 30095 5ea20c 30093->30095 30096 5ea17c 30094->30096 30097 6bf290 std::_Facet_Register 2 API calls 30095->30097 30099 64cf60 2 API calls 30096->30099 30101 5ea18b 30096->30101 30098 5ea248 30097->30098 30100 5e2ae0 2 API calls 30098->30100 30099->30101 30104 5ea28b 30100->30104 30102 6cdbdf __fread_nolock 4 API calls 30101->30102 30103 5ea1bb 30102->30103 30106 6c8be8 5 API calls 30103->30106 30105 6c5362 RtlAllocateHeap 30104->30105 30107 5ea2d7 30105->30107 30106->30090 30112 5ea34e 30107->30112 30134 6c9136 30107->30134 30109 5ea377 std::ios_base::_Ios_base_dtor 30112->30109 30113 6c47b0 RtlAllocateHeap 30112->30113 30117 5ea399 30113->30117 30115 6c9136 4 API calls 30116 5ea2fc 30115->30116 30121 5ea318 30116->30121 30146 64cf60 30116->30146 30119 6c5362 RtlAllocateHeap 30117->30119 30120 5ea3d8 30119->30120 30124 6c9136 4 API calls 30120->30124 30127 5ea3f9 30120->30127 30151 6cdbdf 30121->30151 30122 5ea423 std::ios_base::_Ios_base_dtor 30126 5ea3eb 30124->30126 30129 6c4eeb 2 API calls 30126->30129 30127->30122 30130 6c47b0 RtlAllocateHeap 30127->30130 30128 6c8be8 5 API calls 30128->30112 30131 5ea3f1 30129->30131 30132 5ea439 30130->30132 30133 6c8be8 5 API calls 30131->30133 30133->30127 30135 6c9149 ___std_exception_copy 30134->30135 30154 6c8e8d 30135->30154 30137 6c915e 30138 6c44dc ___std_exception_copy RtlAllocateHeap 30137->30138 30139 5ea2ea 30138->30139 30140 6c4eeb 30139->30140 30141 6c4efe ___std_exception_copy 30140->30141 30176 6c4801 30141->30176 30143 6c4f0a 30144 6c44dc ___std_exception_copy RtlAllocateHeap 30143->30144 30145 5ea2f0 30144->30145 30145->30115 30147 64cfa7 30146->30147 30150 64cf78 __fread_nolock 30146->30150 30214 650560 30147->30214 30149 64cfba 30149->30121 30150->30121 30231 6cdbfc 30151->30231 30153 5ea348 30153->30128 30155 6c8e99 __fread_nolock 30154->30155 30156 6c8e9f 30155->30156 30158 6c8ee2 __fread_nolock 30155->30158 30170 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 30156->30170 30161 6c9010 30158->30161 30160 6c8eba 30160->30137 30162 6c9036 30161->30162 30163 6c9023 30161->30163 30171 6c8f37 30162->30171 30163->30160 30165 6c90e7 30165->30160 30166 6c55d3 4 API calls 30168 6c9087 30166->30168 30167 6c9059 30167->30165 30167->30166 30169 6ce17d 2 API calls 30168->30169 30169->30165 30170->30160 30172 6c8f48 30171->30172 30174 6c8fa0 30171->30174 30172->30174 30175 6ce13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 30172->30175 30174->30167 30175->30174 30177 6c480d __fread_nolock 30176->30177 30178 6c4814 30177->30178 30179 6c4835 __fread_nolock 30177->30179 30186 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 30178->30186 30183 6c4910 30179->30183 30182 6c482d 30182->30143 30187 6c4942 30183->30187 30185 6c4922 30185->30182 30186->30182 30188 6c4979 30187->30188 30189 6c4951 30187->30189 30191 6d5f82 __fread_nolock RtlAllocateHeap 30188->30191 30203 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 30189->30203 30192 6c4982 30191->30192 30200 6ce11f 30192->30200 30195 6c4a2c 30204 6c4cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 30195->30204 30197 6c4a43 30199 6c496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 30197->30199 30205 6c4ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 30197->30205 30199->30185 30206 6cdf37 30200->30206 30202 6c49a0 30202->30195 30202->30197 30202->30199 30203->30199 30204->30199 30205->30199 30207 6cdf43 __fread_nolock 30206->30207 30208 6cdf4b 30207->30208 30209 6cdf86 30207->30209 30211 6cdfcc 30207->30211 30208->30202 30213 6c4723 RtlAllocateHeap ___std_exception_copy __Getctype 30209->30213 30211->30208 30212 6ce05c __fread_nolock 2 API calls 30211->30212 30212->30208 30213->30208 30215 6506a9 30214->30215 30220 650585 30214->30220 30229 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 30215->30229 30217 65059a 30221 6bf290 std::_Facet_Register 2 API calls 30217->30221 30218 6506ae 30230 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 30218->30230 30220->30217 30222 6505e3 30220->30222 30224 6505f0 30220->30224 30227 6505aa __fread_nolock std::locale::_Init 30221->30227 30222->30217 30222->30218 30223 6c47b0 RtlAllocateHeap 30225 6506b8 30223->30225 30226 6bf290 std::_Facet_Register 2 API calls 30224->30226 30224->30227 30226->30227 30227->30223 30228 650667 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Init 30227->30228 30228->30149 30229->30218 30230->30227 30232 6cdc08 __fread_nolock 30231->30232 30233 6cdc1b __fread_nolock 30232->30233 30234 6cdc52 __fread_nolock 30232->30234 30239 6cdc40 __fread_nolock 30232->30239 30253 6cd23f RtlAllocateHeap __dosmaperr 30233->30253 30240 6cda06 30234->30240 30236 6cdc35 30254 6c47a0 RtlAllocateHeap ___std_exception_copy 30236->30254 30239->30153 30244 6cda18 __fread_nolock 30240->30244 30246 6cda35 30240->30246 30241 6cda25 30314 6cd23f RtlAllocateHeap __dosmaperr 30241->30314 30243 6cda2a 30315 6c47a0 RtlAllocateHeap ___std_exception_copy 30243->30315 30244->30241 30244->30246 30251 6cda76 __fread_nolock 30244->30251 30246->30239 30247 6cdba1 __fread_nolock 30317 6cd23f RtlAllocateHeap __dosmaperr 30247->30317 30250 6d5f82 __fread_nolock RtlAllocateHeap 30250->30251 30251->30246 30251->30247 30251->30250 30255 6d4623 30251->30255 30316 6c8a2b RtlAllocateHeap __fread_nolock __dosmaperr std::locale::_Init ___std_exception_copy 30251->30316 30253->30236 30254->30239 30256 6d464d 30255->30256 30257 6d4635 30255->30257 30258 6d498f 30256->30258 30263 6d4690 30256->30263 30318 6cd22c RtlAllocateHeap __dosmaperr 30257->30318 30337 6cd22c RtlAllocateHeap __dosmaperr 30258->30337 30260 6d463a 30319 6cd23f RtlAllocateHeap __dosmaperr 30260->30319 30265 6d469b 30263->30265 30269 6d4642 30263->30269 30273 6d46cb 30263->30273 30264 6d4994 30338 6cd23f RtlAllocateHeap __dosmaperr 30264->30338 30320 6cd22c RtlAllocateHeap __dosmaperr 30265->30320 30268 6d46a8 30339 6c47a0 RtlAllocateHeap ___std_exception_copy 30268->30339 30269->30251 30270 6d46a0 30321 6cd23f RtlAllocateHeap __dosmaperr 30270->30321 30274 6d46e4 30273->30274 30275 6d471f 30273->30275 30276 6d46f1 30273->30276 30274->30276 30282 6d470d 30274->30282 30325 6d6e2d RtlAllocateHeap RtlAllocateHeap __dosmaperr __Getctype std::_Facet_Register 30275->30325 30322 6cd22c RtlAllocateHeap __dosmaperr 30276->30322 30278 6d46f6 30323 6cd23f RtlAllocateHeap __dosmaperr 30278->30323 30281 6e0d44 __fread_nolock RtlAllocateHeap 30298 6d486b 30281->30298 30282->30281 30283 6d4730 30326 6d6db3 RtlAllocateHeap __dosmaperr 30283->30326 30285 6d46fd 30324 6c47a0 RtlAllocateHeap ___std_exception_copy 30285->30324 30286 6d4739 30327 6d6db3 RtlAllocateHeap __dosmaperr 30286->30327 30289 6d48e3 ReadFile 30291 6d48fb 30289->30291 30292 6d4957 30289->30292 30290 6d4740 30293 6d474a 30290->30293 30294 6d4765 30290->30294 30291->30292 30310 6d48d4 30291->30310 30300 6d4964 30292->30300 30309 6d48b5 30292->30309 30328 6cd23f RtlAllocateHeap __dosmaperr 30293->30328 30330 6ce13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 30294->30330 30298->30289 30304 6d489b 30298->30304 30299 6d474f 30329 6cd22c RtlAllocateHeap __dosmaperr 30299->30329 30335 6cd23f RtlAllocateHeap __dosmaperr 30300->30335 30302 6d4920 30333 6d4335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 30302->30333 30304->30309 30304->30310 30305 6d4969 30336 6cd22c RtlAllocateHeap __dosmaperr 30305->30336 30308 6d4937 30313 6d4708 __fread_nolock 30308->30313 30334 6d417b SetFilePointerEx RtlAllocateHeap __fread_nolock 30308->30334 30309->30313 30331 6cd1e5 RtlAllocateHeap __dosmaperr 30309->30331 30310->30302 30310->30308 30310->30313 30332 6d6db3 RtlAllocateHeap __dosmaperr 30313->30332 30314->30243 30315->30246 30316->30251 30317->30243 30318->30260 30319->30269 30320->30270 30321->30268 30322->30278 30323->30285 30324->30313 30325->30283 30326->30286 30327->30290 30328->30299 30329->30313 30330->30282 30331->30313 30332->30269 30333->30313 30334->30313 30335->30305 30336->30313 30337->30264 30338->30268 30339->30269 30340 5ea690 30341 6be812 GetSystemTimePreciseAsFileTime 30340->30341 30342 5ea6a2 30341->30342 30343 5ea6fe 30342->30343 30344 5ea6a9 30342->30344 30354 6be4bb 6 API calls std::locale::_Setgloballocale 30343->30354 30347 5ea6c9 __Mtx_unlock 30344->30347 30350 5ea6bd GetFileAttributesA 30344->30350 30350->30347 30548 5e5f90 6 API calls std::ios_base::_Ios_base_dtor 30476 5f4490 RegOpenKeyExA RegOpenKeyExA RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor 30481 5ff880 Sleep RtlAllocateHeap RtlAllocateHeap 30482 5ed892 20 API calls __fread_nolock 30553 5f57b8 GetPEB GetPEB 30355 5eb6a0 30366 5eb6fe __Getctype 30355->30366 30356 5eb80c std::ios_base::_Ios_base_dtor 30357 5eb7e1 30357->30356 30358 6c47b0 RtlAllocateHeap 30357->30358 30361 5eb82c 30358->30361 30359 5eb7d8 30410 6cd7d6 RtlAllocateHeap ___std_exception_copy 30359->30410 30361->30361 30362 5e2ae0 2 API calls 30361->30362 30363 5eb8d9 RegOpenKeyExA 30362->30363 30368 5eb954 RegQueryValueExA 30363->30368 30371 5eb9dc 30363->30371 30364 5eb7d2 30409 6cd7d6 RtlAllocateHeap ___std_exception_copy 30364->30409 30366->30357 30366->30359 30366->30364 30366->30366 30408 64a350 2 API calls 4 library calls 30366->30408 30368->30371 30372 5eb9b3 30368->30372 30371->30371 30373 5e2ae0 2 API calls 30371->30373 30411 64a350 2 API calls 4 library calls 30372->30411 30374 5eba59 __fread_nolock 30373->30374 30376 5eba6d GetCurrentHwProfileA 30374->30376 30377 5ebaac 30376->30377 30378 5eba81 30376->30378 30379 5ebab4 SetupDiGetClassDevsA 30377->30379 30412 64a350 2 API calls 4 library calls 30378->30412 30380 5ebb0d 30379->30380 30384 5ebadb 30379->30384 30413 5eb1a0 9 API calls ___std_exception_copy 30380->30413 30383 5ebb1b 30383->30384 30385 5ec141 30384->30385 30387 5ebb5e 30384->30387 30417 5e2270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 30385->30417 30389 6520e0 2 API calls 30387->30389 30388 5ec146 30390 6c47b0 RtlAllocateHeap 30388->30390 30391 5ebb89 30389->30391 30407 5ec065 std::ios_base::_Ios_base_dtor 30390->30407 30392 5ebbbc std::locale::_Init 30391->30392 30414 6506c0 2 API calls 4 library calls 30391->30414 30396 64a480 2 API calls 30392->30396 30393 6c47b0 RtlAllocateHeap 30395 5ec150 30393->30395 30397 5ebc62 30396->30397 30415 651ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::locale::_Init std::_Facet_Register 30397->30415 30399 5ebcb5 30400 64a480 2 API calls 30399->30400 30401 5ebcc8 30400->30401 30416 651ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::locale::_Init std::_Facet_Register 30401->30416 30403 5ebd2c std::ios_base::_Ios_base_dtor 30403->30388 30404 5ebf0a std::ios_base::_Ios_base_dtor std::locale::_Init 30403->30404 30405 5e2ae0 2 API calls 30404->30405 30405->30407 30406 5ec124 std::ios_base::_Ios_base_dtor 30407->30393 30407->30406 30408->30364 30409->30359 30410->30357 30411->30371 30412->30377 30413->30383 30414->30392 30415->30399 30416->30403 30417->30388 30418 5fe0a0 WSAStartup 30419 5fe0d8 30418->30419 30423 5fe1a7 30418->30423 30420 5fe175 socket 30419->30420 30419->30423 30421 5fe18b connect 30420->30421 30420->30423 30422 5fe19d closesocket 30421->30422 30421->30423 30422->30420 30422->30423 30491 5fc0a0 14 API calls std::_Facet_Register 30492 5f3aa0 18 API calls 2 library calls

              Executed Functions

              Function 005F7E3E Relevance: 26.8, APIs: 7, Strings: 7, Instructions: 2282COMMON
              Download Yara Rule
              APIs
              • GetUserNameA.ADVAPI32(?,00000104,?,?,?), ref: 005F8006
              • GetFileAttributesA.KERNELBASE(?,00000001,?,?,?,?), ref: 005F815D
              • __Mtx_unlock.LIBCPMT ref: 005F8186
              • __Mtx_unlock.LIBCPMT ref: 005F8195
              • GetFileAttributesA.KERNELBASE(?,?,0000005C,00000000,00000001), ref: 005F8751
              • __Mtx_unlock.LIBCPMT ref: 005F877A
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile$NameUser
              • String ID: *$+$131$P?Y$Q>5$\$\
              • API String ID: 1275484822-3500402200
              • Opcode ID: 7eef7824a74f022f95a319b507a7206870e11c5d68f7981bc799e4df7bc40fec
              • Instruction ID: 19c079cd4cafa86434ed53aada870ea4f3501303f115f5e90cdcc216bcea6313
              • Opcode Fuzzy Hash: 7eef7824a74f022f95a319b507a7206870e11c5d68f7981bc799e4df7bc40fec
              • Instruction Fuzzy Hash: 71237D709002598FDB28CF68CC94BEEBBB5BF05304F2481EDD509AB282E7759A85CF55
              Function 005EB6A0 Relevance: 14.8, APIs: 4, Strings: 4, Instructions: 840registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 585 5eb6a0-5eb6fc 586 5eb6fe-5eb701 585->586 587 5eb704-5eb72d 585->587 586->587 589 5eb7e5-5eb7ec 587->589 590 5eb733-5eb743 call 6c50b2 587->590 591 5eb7ee-5eb7fa 589->591 592 5eb816-5eb826 589->592 599 5eb749-5eb75d 590->599 600 5eb7e4 590->600 594 5eb80c-5eb813 call 6bf511 591->594 595 5eb7fc-5eb80a 591->595 594->592 595->594 597 5eb827-5eb863 call 6c47b0 call 5ea440 595->597 612 5eb86a-5eb87e 597->612 613 5eb865 597->613 606 5eb75f-5eb78c 599->606 607 5eb7db-5eb7e1 call 6cd7d6 599->607 600->589 606->607 615 5eb78e-5eb79e call 6c50b2 606->615 607->600 614 5eb880-5eb88b 612->614 613->612 614->614 616 5eb88d-5eb8bd 614->616 615->607 621 5eb7a0-5eb7b9 615->621 618 5eb8c0-5eb8c5 616->618 618->618 620 5eb8c7-5eb921 call 5e2ae0 618->620 625 5eb925-5eb930 620->625 626 5eb7bb-5eb7bd 621->626 627 5eb7d2-5eb7d8 call 6cd7d6 621->627 625->625 628 5eb932-5eb94e RegOpenKeyExA 625->628 629 5eb7c0-5eb7c5 626->629 627->607 631 5eb954-5eb97d 628->631 632 5eb9e5-5eb9f9 628->632 629->629 633 5eb7c7-5eb7cd call 64a350 629->633 636 5eb980-5eb98b 631->636 635 5eba00-5eba0b 632->635 633->627 635->635 638 5eba0d-5eba3d 635->638 636->636 639 5eb98d-5eb9b1 RegQueryValueExA 636->639 640 5eba40-5eba45 638->640 641 5eb9dc-5eb9df 639->641 642 5eb9b3-5eb9bc 639->642 640->640 643 5eba47-5eba7f call 5e2ae0 call 6c14f0 GetCurrentHwProfileA 640->643 641->632 644 5eb9c0-5eb9c5 642->644 651 5ebaac-5ebad9 call 5eb360 SetupDiGetClassDevsA 643->651 652 5eba81-5eba8a 643->652 644->644 646 5eb9c7-5eb9d7 call 64a350 644->646 646->641 657 5ebb0d-5ebb1b call 5eb1a0 651->657 658 5ebadb-5ebb0b 651->658 654 5eba90-5eba95 652->654 654->654 656 5eba97-5ebaa7 call 64a350 654->656 656->651 660 5ebb1e-5ebb3c 657->660 658->660 663 5ebb40-5ebb45 660->663 663->663 664 5ebb47-5ebb58 663->664 665 5ebb5e-5ebb6b 664->665 666 5ec141 call 5e2270 664->666 668 5ebb6d 665->668 669 5ebb73-5ebb9a call 6520e0 665->669 670 5ec146 call 6c47b0 666->670 668->669 675 5ebb9c 669->675 676 5ebba2-5ebbba 669->676 674 5ec14b-5ec167 call 6c47b0 670->674 686 5ec169-5ec16b 674->686 687 5ec182-5ec185 674->687 675->676 677 5ebbbc-5ebbce 676->677 678 5ebbf3-5ebc08 call 6506c0 676->678 680 5ebbd6-5ebbf1 call 6c0f70 677->680 681 5ebbd0 677->681 689 5ebc0a-5ebd39 call 64a480 call 651ed0 call 64a480 call 651ed0 678->689 680->689 681->680 690 5ec170-5ec17c 686->690 700 5ebd6a-5ebd77 689->700 701 5ebd3b-5ebd4a 689->701 690->690 692 5ec17e 690->692 692->687 704 5ebda8-5ebdcd 700->704 705 5ebd79-5ebd88 700->705 702 5ebd4c-5ebd5a 701->702 703 5ebd60-5ebd67 call 6bf511 701->703 702->670 702->703 703->700 709 5ebdcf-5ebddb 704->709 710 5ebdfb-5ebe05 704->710 707 5ebd9e-5ebda5 call 6bf511 705->707 708 5ebd8a-5ebd98 705->708 707->704 708->670 708->707 715 5ebddd-5ebdeb 709->715 716 5ebdf1-5ebdf8 call 6bf511 709->716 711 5ebe07-5ebe13 710->711 712 5ebe33-5ebe52 710->712 718 5ebe29-5ebe30 call 6bf511 711->718 719 5ebe15-5ebe23 711->719 720 5ebe54-5ebe63 712->720 721 5ebe83-5ebeab 712->721 715->670 715->716 716->710 718->712 719->670 719->718 725 5ebe79-5ebe80 call 6bf511 720->725 726 5ebe65-5ebe73 720->726 727 5ebedc-5ebee6 721->727 728 5ebead-5ebebc 721->728 725->721 726->670 726->725 731 5ebee8-5ebef4 727->731 732 5ebf14-5ebf9b 727->732 729 5ebebe-5ebecc 728->729 730 5ebed2-5ebed9 call 6bf511 728->730 729->670 729->730 730->727 736 5ebf0a-5ebf11 call 6bf511 731->736 737 5ebef6-5ebf04 731->737 738 5ebf9d-5ebfa3 732->738 739 5ebfa6-5ebfab 732->739 736->732 737->670 737->736 738->739 743 5ebfad 739->743 744 5ebfd6-5ebfd8 739->744 748 5ebfb2-5ebfce call 665b20 743->748 745 5ebfda-5ebffe call 6c0f70 744->745 746 5ec000 744->746 750 5ec00a-5ec01d call 665980 745->750 746->750 755 5ebfd0 748->755 757 5ec01f-5ec02f 750->757 758 5ec030-5ec04f 750->758 755->744 757->758 759 5ec050-5ec055 758->759 759->759 760 5ec057-5ec06e call 5e2ae0 759->760 763 5ec09f-5ec0c3 760->763 764 5ec070-5ec07f 760->764 767 5ec0f8-5ec101 763->767 768 5ec0c5-5ec0d6 763->768 765 5ec095-5ec09c call 6bf511 764->765 766 5ec081-5ec08f 764->766 765->763 766->674 766->765 772 5ec12e-5ec140 767->772 773 5ec103-5ec112 767->773 770 5ec0ee-5ec0f5 call 6bf511 768->770 771 5ec0d8-5ec0e9 768->771 770->767 771->674 775 5ec0eb 771->775 777 5ec124-5ec12b call 6bf511 773->777 778 5ec114-5ec122 773->778 775->770 777->772 778->674 778->777
              APIs
              • RegOpenKeyExA.KERNELBASE(80000002,C0D5DDC2,00000000,00020019,00000000,FAF8FCC4,FAF8FCC5), ref: 005EB947
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Open
              • String ID: :$_$_$_
              • API String ID: 71445658-4119709311
              • Opcode ID: 392c2410b4c14f3e4bb990687df2e1fd5808172aafefab5fc9206d059a0459cc
              • Instruction ID: 931ccb8799fc0e960de74f5d4065b441196c4630b41b51edf3e21b3853550c0e
              • Opcode Fuzzy Hash: 392c2410b4c14f3e4bb990687df2e1fd5808172aafefab5fc9206d059a0459cc
              • Instruction Fuzzy Hash: 61729171D002599FEB18CF68CC94BEEBBB6BF45304F1481ADE449AB282D7749A85CF50
              Function 005FE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1091 5fe0a0-5fe0d2 WSAStartup 1092 5fe0d8-5fe102 call 5e6bd0 * 2 1091->1092 1093 5fe1b7-5fe1c0 1091->1093 1098 5fe10e-5fe165 1092->1098 1099 5fe104-5fe108 1092->1099 1101 5fe167-5fe16d 1098->1101 1102 5fe1b1 1098->1102 1099->1093 1099->1098 1103 5fe16f 1101->1103 1104 5fe1c5-5fe1cf 1101->1104 1102->1093 1105 5fe175-5fe189 socket 1103->1105 1104->1102 1108 5fe1d1-5fe1d9 1104->1108 1105->1102 1107 5fe18b-5fe19b connect 1105->1107 1109 5fe19d-5fe1a5 closesocket 1107->1109 1110 5fe1c1 1107->1110 1109->1105 1111 5fe1a7-5fe1ab 1109->1111 1110->1104 1111->1102
              APIs
              • WSAStartup.WS2_32 ref: 005FE0CB
              • socket.WS2_32(?,?,?,?,?,?,00717320,?,?,?,?,?,?), ref: 005FE17F
              • connect.WS2_32(00000000,?,00000000,?,?,?,00717320,?,?,?,?,?,?), ref: 005FE193
              • closesocket.WS2_32(00000000), ref: 005FE19E
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Startupclosesocketconnectsocket
              • String ID:
              • API String ID: 3098855095-0
              • Opcode ID: 9282defdcc649b618e162b627092d5b03f75c6e4733b7bfde1859186feb6374c
              • Instruction ID: b3ebcae118c746845e7b5c7a3a6e93bb26e3bf543a709c9c93aa8bebe3e50caf
              • Opcode Fuzzy Hash: 9282defdcc649b618e162b627092d5b03f75c6e4733b7bfde1859186feb6374c
              • Instruction Fuzzy Hash: 1C31B6716053045BE7209F258849B6BBBE4FBC5764F004F1DF9A4A62E0D33999048B92
              Function 006BF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1349 6bf290-6bf293 1350 6bf2a2-6bf2a5 call 6cdf2c 1349->1350 1352 6bf2aa-6bf2ad 1350->1352 1353 6bf2af-6bf2b0 1352->1353 1354 6bf295-6bf2a0 call 6d17d8 1352->1354 1354->1350 1357 6bf2b1-6bf2b5 1354->1357 1358 6bf2bb 1357->1358 1359 5e21d0-5e2220 call 5e21b0 call 6c0efb call 6c0651 1357->1359 1358->1358
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E220E
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: bc8ceb2c76924f206182f052f298989bd0a343bbd9bcc19d4f57e16a143a29f4
              • Instruction ID: e94f8ef04def47f14dcc88fbf19d73d15d711668984b3a8775314f87b7d1d840
              • Opcode Fuzzy Hash: bc8ceb2c76924f206182f052f298989bd0a343bbd9bcc19d4f57e16a143a29f4
              • Instruction Fuzzy Hash: 5B01207550030DA7CB18AF99DC059D57BDEDA00310F50843DFA18DB651E770E590C794
              Function 005EA690 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1366 5ea690-5ea6a7 call 6be812 1369 5ea6fe-5ea722 call 6be4bb call 6be812 1366->1369 1370 5ea6a9-5ea6ab 1366->1370 1383 5ea73f-5ea745 call 6be4bb 1369->1383 1384 5ea724-5ea73e call 6be823 1369->1384 1372 5ea6ad-5ea6af 1370->1372 1373 5ea6e7 1370->1373 1376 5ea6b2-5ea6b7 1372->1376 1374 5ea6e9-5ea6fd call 6be823 1373->1374 1376->1376 1379 5ea6b9-5ea6bb 1376->1379 1379->1373 1382 5ea6bd-5ea6c7 GetFileAttributesA 1379->1382 1385 5ea6c9-5ea6d2 1382->1385 1386 5ea6e3-5ea6e5 1382->1386 1385->1386 1392 5ea6d4-5ea6d7 1385->1392 1386->1374 1392->1386 1394 5ea6d9-5ea6dc 1392->1394 1394->1386 1395 5ea6de-5ea6e1 1394->1395 1395->1373 1395->1386
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile
              • String ID:
              • API String ID: 1886074773-0
              • Opcode ID: 87ea4ac7bf507aff71a37a562f04a3ff30bbd1200ca6f0c11287343e4a4a29f8
              • Instruction ID: c67b08ecc76a84ee1085e5898f284efbfb2b7d43caef2053dda2b944e1132c74
              • Opcode Fuzzy Hash: 87ea4ac7bf507aff71a37a562f04a3ff30bbd1200ca6f0c11287343e4a4a29f8
              • Instruction Fuzzy Hash: 6E0149E1E401A0229E7C21BA2C464FB6D49985376871D8D26FCD1DB257F44BEE8082E3
              Function 00650560 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1396 650560-65057f 1397 650585-650598 1396->1397 1398 6506a9 call 5e2270 1396->1398 1400 6505c0-6505c8 1397->1400 1401 65059a 1397->1401 1402 6506ae call 5e21d0 1398->1402 1403 6505d1-6505d5 1400->1403 1404 6505ca-6505cf 1400->1404 1405 65059c-6505a1 1401->1405 1411 6506b3-6506b8 call 6c47b0 1402->1411 1408 6505d7 1403->1408 1409 6505d9-6505e1 1403->1409 1404->1405 1406 6505a4-6505a5 call 6bf290 1405->1406 1414 6505aa-6505af 1406->1414 1408->1409 1412 6505f0-6505f2 1409->1412 1413 6505e3-6505e8 1409->1413 1417 6505f4-6505ff call 6bf290 1412->1417 1418 650601 1412->1418 1413->1402 1416 6505ee 1413->1416 1414->1411 1420 6505b5-6505be 1414->1420 1416->1406 1419 650603-650629 1417->1419 1418->1419 1423 650680-6506a6 call 6c0f70 call 6c14f0 1419->1423 1424 65062b-650655 call 6c0f70 call 6c14f0 1419->1424 1420->1419 1434 650657-650665 1424->1434 1435 650669-65067d call 6bf511 1424->1435 1434->1411 1436 650667 1434->1436 1436->1435
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 006506AE
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID: 5_
              • API String ID: 118556049-1161999416
              • Opcode ID: 704878a6fb962aec51445f9c7907984ce5d7d965d91800b1a8fb89f3cbd27ced
              • Instruction ID: 621670e01086a16ed09b242363608e4a2a7c6520bd4230c6ee20ac2c4a5d64cb
              • Opcode Fuzzy Hash: 704878a6fb962aec51445f9c7907984ce5d7d965d91800b1a8fb89f3cbd27ced
              • Instruction Fuzzy Hash: C641F672A001149BDB15DF68DD80AAE7BA6EF85311F1401ADFC15DB302EB30DE658BE5
              Function 005EA090 Relevance: 3.3, APIs: 2, Instructions: 342COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1439 5ea090-5ea12b call 6bf290 call 5e2ae0 1444 5ea130-5ea13b 1439->1444 1444->1444 1445 5ea13d-5ea148 1444->1445 1446 5ea14d-5ea15e call 6c5362 1445->1446 1447 5ea14a 1445->1447 1450 5ea1c4-5ea1ca 1446->1450 1451 5ea160-5ea189 call 6c9136 call 6c4eeb call 6c9136 1446->1451 1447->1446 1452 5ea1cc-5ea1d8 1450->1452 1453 5ea1f4-5ea206 1450->1453 1468 5ea19b-5ea1a2 call 64cf60 1451->1468 1469 5ea18b-5ea18f 1451->1469 1455 5ea1ea-5ea1f1 call 6bf511 1452->1455 1456 5ea1da-5ea1e8 1452->1456 1455->1453 1456->1455 1458 5ea207-5ea2ab call 6c47b0 call 6bf290 call 5e2ae0 1456->1458 1479 5ea2b0-5ea2bb 1458->1479 1475 5ea1a7-5ea1ad 1468->1475 1471 5ea193-5ea199 1469->1471 1472 5ea191 1469->1472 1471->1475 1472->1471 1477 5ea1af 1475->1477 1478 5ea1b1-5ea1c1 call 6cdbdf call 6c8be8 1475->1478 1477->1478 1478->1450 1479->1479 1481 5ea2bd-5ea2c8 1479->1481 1483 5ea2cd-5ea2de call 6c5362 1481->1483 1484 5ea2ca 1481->1484 1489 5ea2e0-5ea305 call 6c9136 call 6c4eeb call 6c9136 1483->1489 1490 5ea351-5ea357 1483->1490 1484->1483 1508 5ea30c-5ea316 1489->1508 1509 5ea307 1489->1509 1492 5ea359-5ea365 1490->1492 1493 5ea381-5ea393 1490->1493 1495 5ea377-5ea37e call 6bf511 1492->1495 1496 5ea367-5ea375 1492->1496 1495->1493 1496->1495 1498 5ea394-5ea3ae call 6c47b0 1496->1498 1505 5ea3b0-5ea3bb 1498->1505 1505->1505 1507 5ea3bd-5ea3c8 1505->1507 1510 5ea3cd-5ea3df call 6c5362 1507->1510 1511 5ea3ca 1507->1511 1512 5ea328-5ea32f call 64cf60 1508->1512 1513 5ea318-5ea31c 1508->1513 1509->1508 1522 5ea3fc-5ea403 1510->1522 1523 5ea3e1-5ea3f9 call 6c9136 call 6c4eeb call 6c8be8 1510->1523 1511->1510 1518 5ea334-5ea33a 1512->1518 1516 5ea31e 1513->1516 1517 5ea320-5ea326 1513->1517 1516->1517 1517->1518 1520 5ea33e-5ea349 call 6cdbdf call 6c8be8 1518->1520 1521 5ea33c 1518->1521 1538 5ea34e 1520->1538 1521->1520 1524 5ea42d-5ea433 1522->1524 1525 5ea405-5ea411 1522->1525 1523->1522 1528 5ea423-5ea42a call 6bf511 1525->1528 1529 5ea413-5ea421 1525->1529 1528->1524 1529->1528 1532 5ea434-5ea439 call 6c47b0 1529->1532 1538->1490
              APIs
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: c3b6ebdc6bdc5238eff1670e9f0308f10caecd4dd7de0264fed6f67307a1fac0
              • Instruction ID: fa3e0b59eb018f084bbdd9c798585d0462cabb8994c0ed21eeed4914b4550dfd
              • Opcode Fuzzy Hash: c3b6ebdc6bdc5238eff1670e9f0308f10caecd4dd7de0264fed6f67307a1fac0
              • Instruction Fuzzy Hash: 02B12470900284AFDB18DF69CC49BAEBFE9FF45300F10856DF4459B682D7B4AA41C7A6
              Function 006D4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1543 6d4623-6d4633 1544 6d464d-6d464f 1543->1544 1545 6d4635-6d4648 call 6cd22c call 6cd23f 1543->1545 1546 6d498f-6d499c call 6cd22c call 6cd23f 1544->1546 1547 6d4655-6d465b 1544->1547 1559 6d49a7 1545->1559 1566 6d49a2 call 6c47a0 1546->1566 1547->1546 1550 6d4661-6d468a 1547->1550 1550->1546 1553 6d4690-6d4699 1550->1553 1556 6d469b-6d46ae call 6cd22c call 6cd23f 1553->1556 1557 6d46b3-6d46b5 1553->1557 1556->1566 1562 6d498b-6d498d 1557->1562 1563 6d46bb-6d46bf 1557->1563 1564 6d49aa-6d49ad 1559->1564 1562->1564 1563->1562 1567 6d46c5-6d46c9 1563->1567 1566->1559 1567->1556 1570 6d46cb-6d46e2 1567->1570 1571 6d46e4-6d46e7 1570->1571 1572 6d4717-6d471d 1570->1572 1574 6d470d-6d4715 1571->1574 1575 6d46e9-6d46ef 1571->1575 1576 6d471f-6d4726 1572->1576 1577 6d46f1-6d4708 call 6cd22c call 6cd23f call 6c47a0 1572->1577 1579 6d478a-6d47a9 1574->1579 1575->1574 1575->1577 1580 6d4728 1576->1580 1581 6d472a-6d4748 call 6d6e2d call 6d6db3 * 2 1576->1581 1606 6d48c2 1577->1606 1583 6d47af-6d47bb 1579->1583 1584 6d4865-6d486e call 6e0d44 1579->1584 1580->1581 1610 6d474a-6d4760 call 6cd23f call 6cd22c 1581->1610 1611 6d4765-6d4788 call 6ce13d 1581->1611 1583->1584 1588 6d47c1-6d47c3 1583->1588 1597 6d48df 1584->1597 1598 6d4870-6d4882 1584->1598 1588->1584 1593 6d47c9-6d47ea 1588->1593 1593->1584 1594 6d47ec-6d4802 1593->1594 1594->1584 1599 6d4804-6d4806 1594->1599 1603 6d48e3-6d48f9 ReadFile 1597->1603 1598->1597 1602 6d4884-6d4893 1598->1602 1599->1584 1604 6d4808-6d482b 1599->1604 1602->1597 1619 6d4895-6d4899 1602->1619 1607 6d48fb-6d4901 1603->1607 1608 6d4957-6d4962 1603->1608 1604->1584 1609 6d482d-6d4843 1604->1609 1612 6d48c5-6d48cf call 6d6db3 1606->1612 1607->1608 1614 6d4903 1607->1614 1628 6d497b-6d497e 1608->1628 1629 6d4964-6d4976 call 6cd23f call 6cd22c 1608->1629 1609->1584 1615 6d4845-6d4847 1609->1615 1610->1606 1611->1579 1612->1564 1621 6d4906-6d4918 1614->1621 1615->1584 1623 6d4849-6d4860 1615->1623 1619->1603 1627 6d489b-6d48b3 1619->1627 1621->1612 1622 6d491a-6d491e 1621->1622 1631 6d4937-6d4944 1622->1631 1632 6d4920-6d4930 call 6d4335 1622->1632 1623->1584 1643 6d48b5 1627->1643 1644 6d48d4-6d48dd 1627->1644 1633 6d48bb-6d48c1 call 6cd1e5 1628->1633 1634 6d4984-6d4986 1628->1634 1629->1606 1640 6d4946 call 6d448c 1631->1640 1641 6d4950-6d4955 call 6d417b 1631->1641 1651 6d4933-6d4935 1632->1651 1633->1606 1634->1612 1652 6d494b-6d494e 1640->1652 1641->1652 1643->1633 1644->1621 1651->1612 1652->1651
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c825a6aac7e6686e4bc2fd37150b3a452aa281e125bd09d457e0e87c7d4fbb5
              • Instruction ID: a13c429f1cafdf9861ded8d5526159d6acd1488c4acbd63ff361199e83d424c4
              • Opcode Fuzzy Hash: 1c825a6aac7e6686e4bc2fd37150b3a452aa281e125bd09d457e0e87c7d4fbb5
              • Instruction Fuzzy Hash: 74B1E170E04245ABDB119FA9D890BBEBBB7EF49300F14415EE544AB382DB74DD42CBA4
              Function 006D549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1654 6d549c-6d54be 1655 6d54c4-6d54c6 1654->1655 1656 6d56b1 1654->1656 1658 6d54c8-6d54e7 call 6c4723 1655->1658 1659 6d54f2-6d5515 1655->1659 1657 6d56b3-6d56b7 1656->1657 1667 6d54ea-6d54ed 1658->1667 1661 6d551b-6d5521 1659->1661 1662 6d5517-6d5519 1659->1662 1661->1658 1663 6d5523-6d5534 1661->1663 1662->1661 1662->1663 1665 6d5547-6d5557 call 6d4fe1 1663->1665 1666 6d5536-6d5544 call 6ce17d 1663->1666 1672 6d5559-6d555f 1665->1672 1673 6d55a0-6d55b2 1665->1673 1666->1665 1667->1657 1676 6d5588-6d559e call 6d4bb2 1672->1676 1677 6d5561-6d5564 1672->1677 1674 6d5609-6d5629 WriteFile 1673->1674 1675 6d55b4-6d55ba 1673->1675 1682 6d562b-6d5631 1674->1682 1683 6d5634 1674->1683 1678 6d55bc-6d55bf 1675->1678 1679 6d55f5-6d5607 call 6d505e 1675->1679 1693 6d5581-6d5583 1676->1693 1680 6d556f-6d557e call 6d4f79 1677->1680 1681 6d5566-6d5569 1677->1681 1687 6d55e1-6d55f3 call 6d5222 1678->1687 1688 6d55c1-6d55c4 1678->1688 1705 6d55dc-6d55df 1679->1705 1680->1693 1681->1680 1689 6d5649-6d564c 1681->1689 1682->1683 1686 6d5637-6d5642 1683->1686 1694 6d56ac-6d56af 1686->1694 1695 6d5644-6d5647 1686->1695 1687->1705 1696 6d564f-6d5651 1688->1696 1697 6d55ca-6d55d7 call 6d5139 1688->1697 1689->1696 1693->1686 1694->1657 1695->1689 1702 6d567f-6d568b 1696->1702 1703 6d5653-6d5658 1696->1703 1697->1705 1708 6d568d-6d5693 1702->1708 1709 6d5695-6d56a7 1702->1709 1706 6d565a-6d566c 1703->1706 1707 6d5671-6d567a call 6cd208 1703->1707 1705->1693 1706->1667 1707->1667 1708->1656 1708->1709 1709->1667
              APIs
              • WriteFile.KERNELBASE(?,00000000,006C9087,?,00000000,00000000,00000000,?,00000000,?,006BE5B1,006C9087,00000000,006BE5B1,?,?), ref: 006D5622
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: e12083f92a3117e4f684bf0f27148b50a467f5280bfe74f551f15d1dcfdd8550
              • Instruction ID: 2386cef9b7b9d5ec5e3b5a51c18e803e71e11760ec1e493f33c1f1aa5c0c510b
              • Opcode Fuzzy Hash: e12083f92a3117e4f684bf0f27148b50a467f5280bfe74f551f15d1dcfdd8550
              • Instruction Fuzzy Hash: 9761CF71D04559AFDF11DFA8D884EEEBBBBAF49304F14014AE801A7755D735DA02CBA0
              Function 006C4942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1712 6c4942-6c494f 1713 6c4979-6c498d call 6d5f82 1712->1713 1714 6c4951-6c4974 call 6c4723 1712->1714 1719 6c498f 1713->1719 1720 6c4992-6c499b call 6ce11f 1713->1720 1721 6c4ae0-6c4ae2 1714->1721 1719->1720 1723 6c49a0-6c49af 1720->1723 1724 6c49bf-6c49c8 1723->1724 1725 6c49b1 1723->1725 1728 6c49dc-6c4a10 1724->1728 1729 6c49ca-6c49d7 1724->1729 1726 6c4a89-6c4a8e 1725->1726 1727 6c49b7-6c49b9 1725->1727 1730 6c4ade-6c4adf 1726->1730 1727->1724 1727->1726 1732 6c4a6d-6c4a79 1728->1732 1733 6c4a12-6c4a1c 1728->1733 1731 6c4adc 1729->1731 1730->1721 1731->1730 1734 6c4a7b-6c4a82 1732->1734 1735 6c4a90-6c4a93 1732->1735 1736 6c4a1e-6c4a2a 1733->1736 1737 6c4a43-6c4a4f 1733->1737 1734->1726 1738 6c4a96-6c4a9e 1735->1738 1736->1737 1739 6c4a2c-6c4a3e call 6c4cae 1736->1739 1737->1735 1740 6c4a51-6c4a6b call 6c4e59 1737->1740 1742 6c4ada 1738->1742 1743 6c4aa0-6c4aa6 1738->1743 1739->1730 1740->1738 1742->1731 1746 6c4abe-6c4ac2 1743->1746 1747 6c4aa8-6c4abc call 6c4ae3 1743->1747 1750 6c4ac4-6c4ad2 call 6e4a10 1746->1750 1751 6c4ad5-6c4ad7 1746->1751 1747->1730 1750->1751 1751->1742
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a2e1504c5850e8fe20b4dad3baba88650050e5f09559d2454b9620935fc08c7
              • Instruction ID: e3b3f6e926049fb13f97bb333c9eacba9229901be2eae458d2ca1c00716746a6
              • Opcode Fuzzy Hash: 0a2e1504c5850e8fe20b4dad3baba88650050e5f09559d2454b9620935fc08c7
              • Instruction Fuzzy Hash: 8351B570A00108AFDB14CF98C895FBABBB2EF49364F24815DF8499B356D7329E51CB94
              Function 006D4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1755 6d4b12-6d4b26 call 6da6de 1758 6d4b2c-6d4b34 1755->1758 1759 6d4b28-6d4b2a 1755->1759 1761 6d4b3f-6d4b42 1758->1761 1762 6d4b36-6d4b3d 1758->1762 1760 6d4b7a-6d4b9a call 6da64d 1759->1760 1770 6d4bac 1760->1770 1771 6d4b9c-6d4baa call 6cd208 1760->1771 1765 6d4b44-6d4b48 1761->1765 1766 6d4b60-6d4b70 call 6da6de FindCloseChangeNotification 1761->1766 1762->1761 1764 6d4b4a-6d4b5e call 6da6de * 2 1762->1764 1764->1759 1764->1766 1765->1764 1765->1766 1766->1759 1777 6d4b72-6d4b78 1766->1777 1775 6d4bae-6d4bb1 1770->1775 1771->1775 1777->1760
              APIs
              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,006D49F9,00000000,CF830579,00711140,0000000C,006D4AB5,006C8BBD,?), ref: 006D4B69
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 7c506a9bdf78cebb9e0fa72753cb897ec34ce4e911560c7ea630335fc439f6a7
              • Instruction ID: 7081d87a116f1d0c912f2b7fef8d253bf0b6591d68d577c003f73b3eae5f3813
              • Opcode Fuzzy Hash: 7c506a9bdf78cebb9e0fa72753cb897ec34ce4e911560c7ea630335fc439f6a7
              • Instruction Fuzzy Hash: 6E115532E0816457C66022746842BBE674B8BE23B0F39020FE8088B3C2EE74DC418198
              Function 006CE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1781 6ce05c-6ce074 call 6da6de 1784 6ce08a-6ce0a0 SetFilePointerEx 1781->1784 1785 6ce076-6ce07d 1781->1785 1787 6ce0b5-6ce0bf 1784->1787 1788 6ce0a2-6ce0b3 call 6cd208 1784->1788 1786 6ce084-6ce088 1785->1786 1789 6ce0db-6ce0de 1786->1789 1787->1786 1790 6ce0c1-6ce0d6 1787->1790 1788->1786 1790->1789
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00710DF8,006BE5B1,00000002,006BE5B1,00000000,?,?,?,006CE166,00000000,?,006BE5B1,00000002,00710DF8), ref: 006CE099
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: d39fdac817ea6707f1c2d44ab327504007b298c03923ba6622c5d33ac1a1049e
              • Instruction ID: 4b2c4530dd6f5c6cd9de1249e5bd2e9a127e45e5db11dff9d37b4359315f9bff
              • Opcode Fuzzy Hash: d39fdac817ea6707f1c2d44ab327504007b298c03923ba6622c5d33ac1a1049e
              • Instruction Fuzzy Hash: 0F012632714155ABCF15CF18CC05EAE3B2ADB85330B24024DF8509B291FAB2EA618BD0
              Function 006D63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1794 6d63f3-6d63fe 1795 6d640c-6d6412 1794->1795 1796 6d6400-6d640a 1794->1796 1798 6d642b-6d643c RtlAllocateHeap 1795->1798 1799 6d6414-6d6415 1795->1799 1796->1795 1797 6d6440-6d644b call 6cd23f 1796->1797 1803 6d644d-6d644f 1797->1803 1800 6d643e 1798->1800 1801 6d6417-6d641e call 6d3f93 1798->1801 1799->1798 1800->1803 1801->1797 1807 6d6420-6d6429 call 6d17d8 1801->1807 1807->1797 1807->1798
              APIs
              • RtlAllocateHeap.NTDLL(00000008,006BD6FA,00000004,?,006D5D79,00000001,00000364,00000004,00000007,000000FF,?,006C067B,00000002,00000000,?,?), ref: 006D6435
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: dd70c29814824660030c03807416df8c0f2fcd07cfc58b555f5ccd5f486424c2
              • Instruction ID: 16270d57eba96166127d7fa5164fd6c2d49d650dbf805420d65665565d533175
              • Opcode Fuzzy Hash: dd70c29814824660030c03807416df8c0f2fcd07cfc58b555f5ccd5f486424c2
              • Instruction Fuzzy Hash: E4F05431D05224669B616F66DC06B9B3BDB9B85764B15C067FC0496380CBA0E81146F5
              Function 006D6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1810 6d6e2d-6d6e39 1811 6d6e6b-6d6e76 call 6cd23f 1810->1811 1812 6d6e3b-6d6e3d 1810->1812 1819 6d6e78-6d6e7a 1811->1819 1814 6d6e3f-6d6e40 1812->1814 1815 6d6e56-6d6e67 RtlAllocateHeap 1812->1815 1814->1815 1817 6d6e69 1815->1817 1818 6d6e42-6d6e49 call 6d3f93 1815->1818 1817->1819 1818->1811 1822 6d6e4b-6d6e54 call 6d17d8 1818->1822 1822->1811 1822->1815
              APIs
              • RtlAllocateHeap.NTDLL(00000000,00000004,00000000,?,006C067B,00000002,00000000,?,?,?,005E303D,006BD6FA,00000004,00000000,006BD6FA), ref: 006D6E60
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 21ed96c9941d739d9a3a6a6813b1c64fd9002d149d24ceefd233996655551bda
              • Instruction ID: d5ae9e3cd06139bca7e54e3b72637d2302153c6d613c7d602057d7f6a62a3cb3
              • Opcode Fuzzy Hash: 21ed96c9941d739d9a3a6a6813b1c64fd9002d149d24ceefd233996655551bda
              • Instruction Fuzzy Hash: A7E0ED39D48625A6DA3026A5CC00BEB778FCB823A1F050927FE04963D0CB60C80181E8

              Non-executed Functions

              Function 00663F80 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 263libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 006640CC
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00664116
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 0066414E
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00664196
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 006641E9
              Strings
              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36, xrefs: 00664037
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc
              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              • API String ID: 190572456-383447037
              • Opcode ID: c320df49a645d4c2508f90a401a709f66bb6b191b03c5bf2132a2f12d390c5a4
              • Instruction ID: 785bcbe4225f46ba508c4485db62e4dbad8d74276a9eb90a5671c12b8630e6d7
              • Opcode Fuzzy Hash: c320df49a645d4c2508f90a401a709f66bb6b191b03c5bf2132a2f12d390c5a4
              • Instruction Fuzzy Hash: 63C14DB08183999FDB04CFA8D495BEDBFF9EF19304F1040AEE845AB252E7744509CB69
              Function 006C84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction ID: 35e5b952324dbe5d5ab8348961ccb54105ad1c26cfab47d5d8da423fd14e921f
              • Opcode Fuzzy Hash: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction Fuzzy Hash: 50020B71E012199FDF24CFA9C880BEEBBB2FF48314F25826DD519A7341DB31A9418B94
              Function 0064F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064F833
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064F855
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064F875
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064F89F
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064F90D
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0064F959
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0064F973
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064FA08
              • std::_Facet_Register.LIBCPMT ref: 0064FA15
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
              • String ID: bad locale name$"p
              • API String ID: 3375549084-3171176342
              • Opcode ID: 7aa2c72839345ba2a3351bdc47133f54cc2a929e7d355cde31e1148d17aec5b7
              • Instruction ID: ce597d6b4fae1cf081d736e30517dd115e594cb7dd165c2c0c0c4dc7372078b9
              • Opcode Fuzzy Hash: 7aa2c72839345ba2a3351bdc47133f54cc2a929e7d355cde31e1148d17aec5b7
              • Instruction Fuzzy Hash: 95617EB1D00248DFEF10DFA8D845BDEBBB6AF14310F148568E805AB381EB75E945CBA5
              Function 005E8D70 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 311libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(F8F7E6FF,?,?,007156BC), ref: 005E8E0E
              • GetProcAddress.KERNEL32(00000000,E1D7E6DF), ref: 005E8E1B
              • GetModuleHandleA.KERNEL32(F8F7E6FF), ref: 005E8E85
              • GetProcAddress.KERNEL32(00000000,E1C2E6DF), ref: 005E8E8C
              • CloseHandle.KERNEL32(00000000), ref: 005E9092
              • CloseHandle.KERNEL32(00000000), ref: 005E90F4
              • CloseHandle.KERNEL32(00000000), ref: 005E9121
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Handle$Close$AddressModuleProc
              • String ID: File$}Vn$}Vn
              • API String ID: 4110381430-1811535537
              • Opcode ID: d70638dc2a6a635cc957d16cf946a72a1fa66fd67d0beaf1d8f075270a7a3942
              • Instruction ID: 1cd2c346e452ac5b22c90c0b417bca579a0c1b15b7c4db45e036255feb5d2f49
              • Opcode Fuzzy Hash: d70638dc2a6a635cc957d16cf946a72a1fa66fd67d0beaf1d8f075270a7a3942
              • Instruction Fuzzy Hash: FBC18D70D002999BEF24DFA5CC85BAEBBB9FF04300F50406DE944BB282DB759A45CB65
              Function 005E3D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E3E7F
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$@3^$G>^$G>^$`!^$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2659868963-3207115525
              • Opcode ID: a1e167198c0edcf480cfa73e5b4090e4a6114dbe965f9ede2e11dfc9446e6166
              • Instruction ID: be67246fe3a6c0bad200ac019c19242625935175ca8ca25768e86609e8068661
              • Opcode Fuzzy Hash: a1e167198c0edcf480cfa73e5b4090e4a6114dbe965f9ede2e11dfc9446e6166
              • Instruction Fuzzy Hash: 9F41B4B2900248AFC708DF59CC49BAEBBF9FF49310F14856EF955D7641E770AA008BA4
              Function 006C2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 006C2E47
              • ___except_validate_context_record.LIBVCRUNTIME ref: 006C2E4F
              • _ValidateLocalCookies.LIBCMT ref: 006C2ED8
              • __IsNonwritableInCurrentImage.LIBCMT ref: 006C2F03
              • _ValidateLocalCookies.LIBCMT ref: 006C2F58
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: iq$csm
              • API String ID: 1170836740-2322788918
              • Opcode ID: a356d2be9958ce262c464a5f1c8514f14c16c0b6e0aaa860930b98369cf78690
              • Instruction ID: a706ce119ac4be38d775afb936fa536409232340db4a5c742e1839363dc8f508
              • Opcode Fuzzy Hash: a356d2be9958ce262c464a5f1c8514f14c16c0b6e0aaa860930b98369cf78690
              • Instruction Fuzzy Hash: EF419134A0020A9BCB10DF68C895FEEBBB6EF49314F14805DEC14AB392D731EA45CB90
              Function 005E3DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E3E7F
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$@3^$`!^$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2659868963-535810501
              • Opcode ID: 406dc474efa465bcd219bbc36c74c4635f25b50a54c2cbe85e178bb6006d7667
              • Instruction ID: cb5d984c4f9a2cd1018b0fe4a11a8b2f30a5db11a23a93438b5fa7becf037b56
              • Opcode Fuzzy Hash: 406dc474efa465bcd219bbc36c74c4635f25b50a54c2cbe85e178bb6006d7667
              • Instruction Fuzzy Hash: 1A21EEB3500345ABC718DF59D809F96BBDCBB44310F14887EFA988B641E774E914CB95
              Function 005E6F40 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 349COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E7340
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$parse error$parse_error$u^
              • API String ID: 2659868963-3588640227
              • Opcode ID: 96e4b53c47f70ecbcfdc5ee9a362f6256be67672fc5c53a38587b8eeb9d9bcb0
              • Instruction ID: 71c7deccd4a6390633cc7c7b46d384c605d062ab9284f6003387e50de9828908
              • Opcode Fuzzy Hash: 96e4b53c47f70ecbcfdc5ee9a362f6256be67672fc5c53a38587b8eeb9d9bcb0
              • Instruction Fuzzy Hash: F5E16D719042488FDB58CF68C884B9DBBB2FF48300F24866DE458EB792D7749A81CF55
              Function 005E7820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E799A
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E7B75
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$out_of_range$type_error
              • API String ID: 2659868963-2822758601
              • Opcode ID: 4019c516f2f82b62e796e75ef782face80c5a8f67f2236dd931311d6cc02e3d0
              • Instruction ID: f090722619b0cb688438224bd3f5902fda0698fa266dfcc2e575e12fe33bf28d
              • Opcode Fuzzy Hash: 4019c516f2f82b62e796e75ef782face80c5a8f67f2236dd931311d6cc02e3d0
              • Instruction Fuzzy Hash: 5FC158B19002489FDB58CFA8D884B9DBBF6FF48300F14866DE459EB792E7749980CB54
              Function 005E73B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E75BE
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E75CD
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: at line $, column $`!^$yo^
              • API String ID: 4194217158-262291558
              • Opcode ID: f389948c6c52c14b67ee78f4fe6b4bfda679fa01324f67328ba931072655488e
              • Instruction ID: 0a013b8861c3c4990ae5cc52710d9ea3714a46b88a47f8fc85044f53f2baf42a
              • Opcode Fuzzy Hash: f389948c6c52c14b67ee78f4fe6b4bfda679fa01324f67328ba931072655488e
              • Instruction Fuzzy Hash: 7E61F571A002499FDB0CCF68DC84BADBBB6FF48300F24462DF455A7782D774AA408B94
              Function 005E39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 005E3A58
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005E3AA4
              • __Getctype.LIBCPMT ref: 005E3ABA
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005E3AE6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 005E3B7B
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
              • String ID: bad locale name
              • API String ID: 1840309910-1405518554
              • Opcode ID: a50f3266298faa2dbf8d77462a04a12d52bd1765b6b7d6918e3402f3316bd8d4
              • Instruction ID: cc21b3653f9bdf4487c2a5149338688b3936f2470c9220968b8795935c4694f2
              • Opcode Fuzzy Hash: a50f3266298faa2dbf8d77462a04a12d52bd1765b6b7d6918e3402f3316bd8d4
              • Instruction Fuzzy Hash: DF518FB1D002489BEF14DFA5D885BDEBBB8BF14310F14406DE849AB381E775DA44CBA5
              Function 005EB1A0 Relevance: 10.6, APIs: 7, Instructions: 133memoryCOMMON
              Download Yara Rule
              APIs
              • LocalAlloc.KERNEL32(00000040,0000001C), ref: 005EB1F0
              • LocalAlloc.KERNEL32(00000040,0000001C,?,00000000,00000000), ref: 005EB239
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,?,00000000), ref: 005EB26D
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,?,00000000,00000000), ref: 005EB28F
              • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000), ref: 005EB2C0
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 005EB2C5
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 005EB2C8
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Local$Free$AllocDetailDeviceInterfaceSetup
              • String ID:
              • API String ID: 4232148138-0
              • Opcode ID: d1c9b4f887084d51ca7e659bf52d208bc36596985cfe7887dfc9ce3f2acae87a
              • Instruction ID: d7ce2470db9ac936b1682fe3b3286ce58d298316d030d0f081534b09bf3bb9ff
              • Opcode Fuzzy Hash: d1c9b4f887084d51ca7e659bf52d208bc36596985cfe7887dfc9ce3f2acae87a
              • Instruction Fuzzy Hash: EE413AB5A40349AFDB60DFA9DC41BAEBBF9FF48700F10452AE559E7690E770A9008B50
              Function 006CD513 Relevance: 9.3, APIs: 6, Instructions: 285COMMON
              Download Yara Rule
              APIs
              • __allrem.LIBCMT ref: 006CD69B
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006CD6B7
              • __allrem.LIBCMT ref: 006CD6CE
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006CD6EC
              • __allrem.LIBCMT ref: 006CD703
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006CD721
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
              • String ID:
              • API String ID: 1992179935-0
              • Opcode ID: 7222d4fbd83bf911f66e88245ad854337fd27cd591c1530f5d5dc897f2461532
              • Instruction ID: 48a856060aff5c9cfbb3f85407cc616c122fa544787b4e28f7136243ed06ba6f
              • Opcode Fuzzy Hash: 7222d4fbd83bf911f66e88245ad854337fd27cd591c1530f5d5dc897f2461532
              • Instruction Fuzzy Hash: 7E81B4B2A00705ABD720AA69DC41FBA73EBEF41724F24463EF415D7781EB74D9008BA4
              Function 0064DE70 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064DE93
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064DEB6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064DED6
              • std::_Facet_Register.LIBCPMT ref: 0064DF4B
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064DF63
              • Concurrency::cancel_current_task.LIBCPMT ref: 0064DF7B
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
              • String ID:
              • API String ID: 2081738530-0
              • Opcode ID: 4ed6bffd0b78159ff407af31dbd954671e8a6a5e5303b1d9258154c91553364c
              • Instruction ID: ad128decd795e6f4fb8bb067ab2e4cd2f2b68e7507bb84957efef601b003deb0
              • Opcode Fuzzy Hash: 4ed6bffd0b78159ff407af31dbd954671e8a6a5e5303b1d9258154c91553364c
              • Instruction Fuzzy Hash: 1A31EFB1D00256DFCB64DF48D880AEEBBB6FB00720F148299E8166B392D731AD45CBD5
              Function 005E4C50 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 345COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E4F72
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E4FFF
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: ", "$: "$`!^
              • API String ID: 4194217158-1246380630
              • Opcode ID: 469bfa3249d7d0d453234af32832c2024593ae1d1879c7a3f5db4ad7cb7ecb15
              • Instruction ID: 9d4ecd15a9fb4cb3803a870d02549764480b424ce4b5c487b1776da080fb8fa0
              • Opcode Fuzzy Hash: 469bfa3249d7d0d453234af32832c2024593ae1d1879c7a3f5db4ad7cb7ecb15
              • Instruction Fuzzy Hash: D1C1F2719002448FDB28DF69C885BAEBBFAFF44300F14492DE49697782E774A944CBA5
              Function 005EA750 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: \*.*
              • API String ID: 0-1173974218
              • Opcode ID: f9d33ad8415a2213b6c63c4fafee7cfd17aff15e67ec92f13b5557ef2d0240b6
              • Instruction ID: c970ecd9929ef75b8097d8b7739a4bd0ab55f1925b006fc35dbdcb5d1241d3bb
              • Opcode Fuzzy Hash: f9d33ad8415a2213b6c63c4fafee7cfd17aff15e67ec92f13b5557ef2d0240b6
              • Instruction Fuzzy Hash: BBA1C2709002899FDB18DFB9C9947EEBFB6FF48310F104529E491E7282D770A985CB66
              Function 005E3190 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E32C6
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E3350
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy___std_exception_destroy
              • String ID: @3^$`!^$`!^
              • API String ID: 2970364248-1577654005
              • Opcode ID: d109883bd55ba2f7dfcc1521371c8576c4f4afe41f0e331bad2ed7a73cb87214
              • Instruction ID: 422a81c6e04e715ea09989a2445efeb52ca69406a98966cbd1387b5847a8e03f
              • Opcode Fuzzy Hash: d109883bd55ba2f7dfcc1521371c8576c4f4afe41f0e331bad2ed7a73cb87214
              • Instruction Fuzzy Hash: 7C519C759002589FDB18CF98D889BEEBBB6FF48300F14812EE855A7392D7749A41CB94
              Function 005E3370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 005E3190: ___std_exception_copy.LIBVCRUNTIME ref: 005E32C6
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E345F
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: +4^$@3^$@3^$`!^
              • API String ID: 2659868963-1877915259
              • Opcode ID: 1112750ba11c832e4ee43f4b265f4be5aa83058f2b7514e55cd3bba508bf219e
              • Instruction ID: eefbd888b26400e8744f0fd53b75aee4a205a8e466fe3fc9906cff9e993418c0
              • Opcode Fuzzy Hash: 1112750ba11c832e4ee43f4b265f4be5aa83058f2b7514e55cd3bba508bf219e
              • Instruction Fuzzy Hash: 9031A2B29002499FCB18DFA9D845AAEFFF9FB48710F10852EE514D7641E770A650CB94
              Function 005E3410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E345F
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: +4^$@3^$@3^$`!^
              • API String ID: 2659868963-1877915259
              • Opcode ID: fa909f59a189929e4be73e45fe020132d58692f46218755354ced847ba4093e8
              • Instruction ID: d410605c97ee4df992438e68a59f24d2a626607e28a96a9b5ffaa829754c472b
              • Opcode Fuzzy Hash: fa909f59a189929e4be73e45fe020132d58692f46218755354ced847ba4093e8
              • Instruction Fuzzy Hash: D901FFB650030AAF8708DFA9D445C96FBFDFF58710710846AE51987611EBB0E554CB94
              Function 0064D050 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 0064D06F
              • ___std_exception_copy.LIBVCRUNTIME ref: 0064D096
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$u^
              • API String ID: 2659868963-2492332708
              • Opcode ID: dd1def0ff16d497944d201b012077c8bc6c966005e92632583c57d8a32d5e22e
              • Instruction ID: 9cad35764ec978474cc63aabc3895d499ff1912013720ef161d5ab616e6513b9
              • Opcode Fuzzy Hash: dd1def0ff16d497944d201b012077c8bc6c966005e92632583c57d8a32d5e22e
              • Instruction Fuzzy Hash: C001A4B6501706AF8704DF59D405892FBF9FB58710701852FE529CBB11E7B0E528CFA4
              Function 005E6C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E6F11
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E6F20
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: [json.exception.$`!^
              • API String ID: 4194217158-1084409180
              • Opcode ID: a240104034051146a43101b4de89cd38ced386b663d615c1b35dc24524215f6e
              • Instruction ID: bbb90b0123d943d23f9c415c546ff84419f8fc23d1c2dace56f9b3acc5ea2c56
              • Opcode Fuzzy Hash: a240104034051146a43101b4de89cd38ced386b663d615c1b35dc24524215f6e
              • Instruction Fuzzy Hash: D091D271A002449FDB1CCF68C984B9EBBF6FF54340F20866CE459AB792D770AA81CB50
              Function 005EAF30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • GetSystemMetrics.USER32(00000001), ref: 005EAF8A
              • GetSystemMetrics.USER32(00000000), ref: 005EAF90
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: MetricsSystem
              • String ID: d$image/png
              • API String ID: 4116985748-2616758285
              • Opcode ID: 81da90dbcc8a9ae671d21dc1fccd5ab38a7571a9179c13cf4e327eeac9cf514a
              • Instruction ID: 1f34a4185c481c2dc0292b08acb79854823dd51b98179627658b5493116c9792
              • Opcode Fuzzy Hash: 81da90dbcc8a9ae671d21dc1fccd5ab38a7571a9179c13cf4e327eeac9cf514a
              • Instruction Fuzzy Hash: E0518CB1504341AFE710DF21C898B6BBBE9FB85754F001D2DF89493240E772E904CB96
              Function 005E7620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E77B4
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$invalid_iterator
              • API String ID: 2659868963-3096502865
              • Opcode ID: e2b525b3f60da3140a54e3b89b91dbedebeddaf82b38193110b0270113e0605c
              • Instruction ID: 12db1614c9155171e14a524e4480d4f71ea3cb89d4b7682171ffbde780990e6d
              • Opcode Fuzzy Hash: e2b525b3f60da3140a54e3b89b91dbedebeddaf82b38193110b0270113e0605c
              • Instruction Fuzzy Hash: 5A5137B19002489FDB18CFA8D89479DBBF2FB48300F14866DE459EB792E7749980CB94
              Function 005E7BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E7D67
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$other_error
              • API String ID: 2659868963-1867354975
              • Opcode ID: 64f2e1ef643a0f219b63c7a361f7631c67473ab4040686a1bb382d24e542735e
              • Instruction ID: 24e2cddd822ee45c3d9c62cf711e43237ce016351bda87547be3f2fd56f288df
              • Opcode Fuzzy Hash: 64f2e1ef643a0f219b63c7a361f7631c67473ab4040686a1bb382d24e542735e
              • Instruction Fuzzy Hash: E15158B19002488FDB58CFA8D9847ADBFF2FF48300F248669E459EB792D7749980CB54
              Function 005E5010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E50C8
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$`!^$recursive_directory_iterator::operator++
              • API String ID: 2659868963-2947506004
              • Opcode ID: 602214e5c16e4ae5fe36ca4731e25ca0b231a9e1f98745487a08a72beda30e0d
              • Instruction ID: db2d5d4aa9b76bfb5d077e86ffe0bcb1f1c93c93afae811a5074a7b9f8a75a8f
              • Opcode Fuzzy Hash: 602214e5c16e4ae5fe36ca4731e25ca0b231a9e1f98745487a08a72beda30e0d
              • Instruction Fuzzy Hash: CB319EB6800649EFC714DF55D845F8ABBF8FB08710F008669E95693A81EB74BA14CBA1
              Function 0065B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 0065B3DF
              • ___std_exception_copy.LIBVCRUNTIME ref: 0065B406
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: a02bca74e933e18426cce351e423eacf0e101129276786fca458bcced44c9a42
              • Instruction ID: 527a71d48f8d06e7ab8c1c285c1780f9dc0c61626dfd0144042a829860cabb11
              • Opcode Fuzzy Hash: a02bca74e933e18426cce351e423eacf0e101129276786fca458bcced44c9a42
              • Instruction Fuzzy Hash: EFF0C4B6501706AF8708DF59D405896FBE9FA54710301853FE52ACBB01E7B0E528CFA4
              Function 005ED8B9 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 377COMMON
              Download Yara Rule
              APIs
              • Process32Next.KERNEL32(00000000,00000128), ref: 005EDAB0
              • Process32Next.KERNEL32(00000000,?), ref: 005EDAF8
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: NextProcess32
              • String ID: ?
              • API String ID: 1850201408-1684325040
              • Opcode ID: 1bc63751e1ca1fba439003deb85e9aff2efa1b94880a0d0fb59aefc719522ac9
              • Instruction ID: bebe3b675947c7d5d3a9a3a3cc50d05ae40ff39f707da84060058e0f118b2c69
              • Opcode Fuzzy Hash: 1bc63751e1ca1fba439003deb85e9aff2efa1b94880a0d0fb59aefc719522ac9
              • Instruction Fuzzy Hash: EDF15BB1D0526D9ADB64EB90CC45BEEBBBDFF14300F4004D9E549A6242EB705B88CF66
              Function 0065A520 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
              Download Yara Rule
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 0065A656
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID: pected $unexpected
              • API String ID: 118556049-356062554
              • Opcode ID: a488096d346ddb20ad401a233e08d86b5c368dbbab1f4f7ebdf35b9828553d39
              • Instruction ID: 0cd099f2818222909a93f3ca8f3b833819512eae79f383cef40d639561c3fcd8
              • Opcode Fuzzy Hash: a488096d346ddb20ad401a233e08d86b5c368dbbab1f4f7ebdf35b9828553d39
              • Instruction Fuzzy Hash: 735114725001109FD728DF68DC84AAAB7A7EF84311F64476DFC168B346EB30ED898795
              Function 005E3490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E34AF
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$`!^
              • API String ID: 2659868963-3143709943
              • Opcode ID: 1b8929309b989fd906d0b46a1a3df98cffa5b782f2ef3e10fe8a1e5ee489c443
              • Instruction ID: 810cbffb39fb53598f407c9d7f8b2259fe49039fe2a5ee4bfb632c087bf9d5ad
              • Opcode Fuzzy Hash: 1b8929309b989fd906d0b46a1a3df98cffa5b782f2ef3e10fe8a1e5ee489c443
              • Instruction Fuzzy Hash: D3F0A5B6604705AF8708CF5AD401896FBE9FB99710315853FE529C7B00E7B0E5248BA4
              Function 005E3050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E3078
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: 380b2eabaced5ce806821a513ae90f975fd8139c557d6744c0c5c56a205fc9de
              • Instruction ID: b08afc3fbc825b5a607e2ca7b68de38c7852650a7e8d0dd1c9b3275b641124b0
              • Opcode Fuzzy Hash: 380b2eabaced5ce806821a513ae90f975fd8139c557d6744c0c5c56a205fc9de
              • Instruction Fuzzy Hash: 39E0EDB69113489BC710DFA9980598AFFE8AB29701F0086AAE948D7201F6B195548BD5
              Function 005E75E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E75F1
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E7600
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: `!^
              • API String ID: 4194217158-3084548898
              • Opcode ID: 6af2f6ca4a4222366114cc7910663b7b92fdd21c539ed3f4db77e6fd6beeb2fc
              • Instruction ID: ead81c73ef6245ed0f0bd59481c2749a48a8668d09b306ac10864bfc8ba96a36
              • Opcode Fuzzy Hash: 6af2f6ca4a4222366114cc7910663b7b92fdd21c539ed3f4db77e6fd6beeb2fc
              • Instruction Fuzzy Hash: D2E086F250075853C720AF559C09F9ABADD9F35705F04483EF95492701E7B1E65883E9
              Function 005E3090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E30AE
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: e84b3075c86c2e0b4b97d197977f03163f51781e32eade403ad7d41828cd44f3
              • Instruction ID: 5300f0e1582f6b8bccb0c77cb1c750a4f5998eb97474cb451135d2615a8de544
              • Opcode Fuzzy Hash: e84b3075c86c2e0b4b97d197977f03163f51781e32eade403ad7d41828cd44f3
              • Instruction Fuzzy Hash: 65E017B26053189FC718DF89E805996BFEDEB25754705843EF649DB301E6B1E8208FA8
              Function 005E2230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E224E
              Strings
              Memory Dump Source
              • Source File: 00000005.00000002.2907261510.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000005.00000002.2907156931.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907261510.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907710982.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907778108.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907848920.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2907904187.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908247019.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908316691.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908379723.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908499591.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908545698.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908615437.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908660368.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908722240.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908778913.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908836616.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2908888904.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909086231.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909131231.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000005.00000002.2909259980.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_5_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: 7b245721c2e8ade2686f08d10b9f482dd5c0efb40d90aae61a3297ba18e0be5f
              • Instruction ID: b7ad5ddfe473e00876ad52e5754bed08428ee662793d67631ea87400271f381c
              • Opcode Fuzzy Hash: 7b245721c2e8ade2686f08d10b9f482dd5c0efb40d90aae61a3297ba18e0be5f
              • Instruction Fuzzy Hash: F9E017B2A053149BC718DF89E801996BFEDEB25754705C43EF649DB301E7B0E8208BA8

              Execution Graph

              Execution Coverage:3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:813
              Total number of Limit Nodes:92
              execution_graph 32285 5f8c58 9 API calls 2 library calls 33281 5e1050 RtlAllocateHeap RtlAllocateHeap 33387 5f9f50 5 API calls 4 library calls 33388 5f3f50 7 API calls 2 library calls 33327 5e2160 RtlAllocateHeap std::ios_base::_Ios_base_dtor ___std_exception_destroy 33292 5e1000 RtlAllocateHeap RtlAllocateHeap RtlAllocateHeap std::_Facet_Register 33332 5f4100 GetPEB RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor __fread_nolock 33296 5ec430 23 API calls __fread_nolock 33398 5eaf30 4 API calls 2 library calls 33399 5e972e 9 API calls std::ios_base::_Ios_base_dtor 33341 5f4dc9 11 API calls 32890 5f7dc0 32891 5f7df8 32890->32891 32892 5f9db7 32891->32892 32893 5f7e30 32891->32893 33234 5e2270 RtlAllocateHeap RtlAllocateHeap 32892->33234 32896 6520e0 2 API calls 32893->32896 32895 5f9dbc 33235 5e2270 RtlAllocateHeap RtlAllocateHeap 32895->33235 32901 5f7e5c 32896->32901 32898 5f9dc1 33236 5e2270 RtlAllocateHeap RtlAllocateHeap 32898->33236 32900 5f9dc6 33237 6be4bb 6 API calls std::locale::_Setgloballocale 32900->33237 32901->32895 32901->32901 32904 5f7eab 32901->32904 32903 5f9dcc 33238 5e2270 RtlAllocateHeap RtlAllocateHeap 32903->33238 32907 6520e0 2 API calls 32904->32907 32906 5f9dd1 32908 6c47b0 RtlAllocateHeap 32906->32908 32911 5f7ed7 32907->32911 32909 5f9dd6 32908->32909 32910 6c47b0 RtlAllocateHeap 32909->32910 32912 5f9ddb 32910->32912 32911->32898 32911->32911 32914 5f7f23 32911->32914 32913 6c47b0 RtlAllocateHeap 32912->32913 32915 5f9de0 32913->32915 32918 6520e0 2 API calls 32914->32918 33239 6be4bb 6 API calls std::locale::_Setgloballocale 32915->33239 32917 5f9de6 32919 6c47b0 RtlAllocateHeap 32917->32919 32924 5f7f4f __fread_nolock 32918->32924 32920 5f9deb 32919->32920 33240 5e2270 RtlAllocateHeap RtlAllocateHeap 32920->33240 32922 5f9df0 32923 6c47b0 RtlAllocateHeap 32922->32923 32925 5f9e09 32923->32925 32928 5e2ae0 2 API calls 32924->32928 33241 5e2270 RtlAllocateHeap RtlAllocateHeap 32925->33241 32927 5f9e0e 32930 6c47b0 RtlAllocateHeap 32927->32930 32929 5f7fcc __fread_nolock 32928->32929 32931 5f7ff4 GetUserNameA 32929->32931 33002 5f9c30 32930->33002 32935 5f8028 32931->32935 32932 6c47b0 RtlAllocateHeap 33004 5f9c5d std::ios_base::_Ios_base_dtor 32932->33004 32933 6c47b0 RtlAllocateHeap 32953 5f9c97 std::ios_base::_Ios_base_dtor 32933->32953 32934 6c47b0 RtlAllocateHeap 32940 5f9e22 32934->32940 32936 5e2ae0 2 API calls 32935->32936 32942 5f85ae std::ios_base::_Ios_base_dtor 32935->32942 32937 5f808b 32936->32937 32938 64a480 2 API calls 32937->32938 32939 5f80a8 32938->32939 32943 5f80d1 std::locale::_Init 32939->32943 33087 6506c0 2 API calls 4 library calls 32939->33087 32944 5e2ae0 2 API calls 32942->32944 33046 5f987f std::ios_base::_Ios_base_dtor 32942->33046 32945 6be812 GetSystemTimePreciseAsFileTime 32943->32945 32946 5f8676 32944->32946 32948 5f8135 32945->32948 32949 64a480 2 API calls 32946->32949 32947 5e2ae0 2 API calls 32957 5f99c6 32947->32957 32948->32900 32951 5f8140 32948->32951 32952 5f8693 32949->32952 32950 5f9d9c std::ios_base::_Ios_base_dtor 32955 5f815b GetFileAttributesA 32951->32955 32959 5f8167 __Mtx_unlock 32951->32959 32954 5f86bc std::locale::_Init 32952->32954 33089 6506c0 2 API calls 4 library calls 32952->33089 32953->32934 32953->32950 32960 6be812 GetSystemTimePreciseAsFileTime 32954->32960 32955->32959 32957->32925 32958 5f9a3e 32957->32958 32961 6520e0 2 API calls 32958->32961 32959->32903 32966 5f81fa 32959->32966 32994 5f8573 std::ios_base::_Ios_base_dtor 32959->32994 32962 5f8721 32960->32962 32963 5f9a6a 32961->32963 32962->32915 32964 5f872c 32962->32964 32965 64a480 2 API calls 32963->32965 32971 5f874f GetFileAttributesA 32964->32971 32973 5f875b __Mtx_unlock 32964->32973 32967 5f9a7d 32965->32967 32969 6520e0 2 API calls 32966->32969 33073 64a4f0 32967->33073 32970 5f8222 32969->32970 32972 5f824f std::locale::_Init 32970->32972 33088 6506c0 2 API calls 4 library calls 32970->33088 32971->32973 32980 5f8775 __Mtx_unlock 32971->32980 32978 64a480 2 API calls 32972->32978 32974 5e2ae0 2 API calls 32973->32974 32973->32980 32974->32980 32976 5f9adb std::ios_base::_Ios_base_dtor 32976->32927 32977 5f9b4d std::ios_base::_Ios_base_dtor 32976->32977 32979 6c5362 RtlAllocateHeap 32977->32979 32985 5f830a std::ios_base::_Ios_base_dtor 32978->32985 32981 5f9b91 32979->32981 32980->32917 32986 5f87cd std::ios_base::_Ios_base_dtor 32980->32986 32981->33004 33078 5f40e0 32981->33078 32983 5f83e2 std::ios_base::_Ios_base_dtor 33047 64a770 32983->33047 32985->32906 32985->32983 32986->32920 32986->32986 32989 5f88be 32986->32989 32986->33046 32987 5f840c 33064 5ea600 32987->33064 32991 6520e0 2 API calls 32989->32991 32990 5f9ba3 32992 5f9bf3 32990->32992 32995 5e2ae0 2 API calls 32990->32995 32993 5f88e6 32991->32993 33081 6cd168 32992->33081 32996 5f890d std::locale::_Init 32993->32996 33090 6506c0 2 API calls 4 library calls 32993->33090 32994->32912 32994->32942 32995->32992 33003 64a480 2 API calls 32996->33003 33000 6c8be8 5 API calls 33000->33002 33001 5f8411 33001->32909 33001->32994 33001->33001 33002->32932 33002->33004 33006 5f89a7 std::ios_base::_Ios_base_dtor 33003->33006 33004->32933 33004->32953 33005 5f8a8d std::ios_base::_Ios_base_dtor 33007 64a770 2 API calls 33005->33007 33006->32922 33006->33005 33008 5f8aba 33007->33008 33009 5ea600 5 API calls 33008->33009 33010 5f8abf 33009->33010 33010->33010 33011 5e2ae0 2 API calls 33010->33011 33010->33046 33012 5f8c04 33011->33012 33091 64e530 RtlAllocateHeap RtlAllocateHeap std::locale::_Init 33012->33091 33014 5f8c90 33015 64a480 2 API calls 33014->33015 33016 5f8ca2 33015->33016 33017 5f8d43 std::locale::_Init 33016->33017 33092 6506c0 2 API calls 4 library calls 33016->33092 33019 64a480 2 API calls 33017->33019 33020 5f8e17 33019->33020 33021 5f8eb2 std::locale::_Init 33020->33021 33093 6506c0 2 API calls 4 library calls 33020->33093 33023 64a480 2 API calls 33021->33023 33025 5f8f88 std::ios_base::_Ios_base_dtor 33023->33025 33024 64a770 2 API calls 33026 5f91fc 33024->33026 33025->33024 33094 5f5b90 33026->33094 33028 5f9203 33029 5e2ae0 2 API calls 33028->33029 33030 5f9313 33029->33030 33231 64e530 RtlAllocateHeap RtlAllocateHeap std::locale::_Init 33030->33231 33032 5f9395 33033 64a480 2 API calls 33032->33033 33034 5f93a7 33033->33034 33035 5f941e std::locale::_Init 33034->33035 33232 6506c0 2 API calls 4 library calls 33034->33232 33037 64a480 2 API calls 33035->33037 33038 5f94bc 33037->33038 33039 5f9557 std::locale::_Init 33038->33039 33233 6506c0 2 API calls 4 library calls 33038->33233 33041 64a480 2 API calls 33039->33041 33042 5f9627 std::ios_base::_Ios_base_dtor 33041->33042 33043 64a770 2 API calls 33042->33043 33044 5f9878 33043->33044 33045 5f5b90 9 API calls 33044->33045 33045->33046 33046->32947 33046->32953 33048 64a799 33047->33048 33049 64a851 33048->33049 33055 64a7aa 33048->33055 33242 5e2270 RtlAllocateHeap RtlAllocateHeap 33049->33242 33051 64a7b6 std::locale::_Init 33051->32987 33052 64a856 33243 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 33052->33243 33053 64a7db 33059 6bf290 std::_Facet_Register 2 API calls 33053->33059 33055->33051 33055->33053 33057 64a814 33055->33057 33058 64a81d 33055->33058 33056 64a7ee 33060 6c47b0 RtlAllocateHeap 33056->33060 33063 64a7f5 std::locale::_Init 33056->33063 33057->33052 33057->33053 33061 6bf290 std::_Facet_Register 2 API calls 33058->33061 33058->33063 33059->33056 33062 64a860 33060->33062 33061->33063 33062->32987 33063->32987 33065 5ea610 33064->33065 33065->33065 33066 6c5362 RtlAllocateHeap 33065->33066 33067 5ea638 33066->33067 33068 6c8be8 5 API calls 33067->33068 33070 5ea645 33067->33070 33068->33070 33069 5ea674 std::ios_base::_Ios_base_dtor 33069->33001 33070->33069 33071 6c47b0 RtlAllocateHeap 33070->33071 33072 5ea68a 33071->33072 33074 64a504 33073->33074 33077 64a514 std::locale::_Init 33074->33077 33244 6506c0 2 API calls 4 library calls 33074->33244 33076 64a55a 33076->32976 33077->32976 33245 6bec6a 33078->33245 33080 5f40eb __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 33080->32990 33082 6cd17b __fread_nolock 33081->33082 33252 6ccf4a 33082->33252 33084 6cd190 33085 6c44dc __fread_nolock RtlAllocateHeap 33084->33085 33086 5f9c2a 33085->33086 33086->33000 33087->32943 33088->32972 33089->32954 33090->32996 33091->33014 33092->33017 33093->33021 33096 5f5bca __fread_nolock 33094->33096 33095 5f5da1 std::ios_base::_Ios_base_dtor 33095->33028 33097 5f5cd5 GetPEB 33096->33097 33100 5f5cf0 33096->33100 33097->33100 33098 6c47b0 RtlAllocateHeap 33099 5f5dc1 __fread_nolock 33098->33099 33101 5f5def GetModuleFileNameA 33099->33101 33100->33095 33100->33098 33102 5f5e23 33101->33102 33102->33102 33103 5e2ae0 2 API calls 33102->33103 33107 5f5e3c 33103->33107 33104 5f5f93 std::ios_base::_Ios_base_dtor 33104->33028 33105 6c47b0 RtlAllocateHeap 33106 5f5fab 33105->33106 33106->33106 33108 5f7d25 33106->33108 33109 5f6030 33106->33109 33107->33104 33107->33105 33272 5e2270 RtlAllocateHeap RtlAllocateHeap 33108->33272 33112 6520e0 2 API calls 33109->33112 33111 5f7d2a 33273 5e2270 RtlAllocateHeap RtlAllocateHeap 33111->33273 33117 5f6059 33112->33117 33114 5f7d2f 33274 5e2270 RtlAllocateHeap RtlAllocateHeap 33114->33274 33116 5f7d34 33275 6be4bb 6 API calls std::locale::_Setgloballocale 33116->33275 33117->33111 33117->33117 33120 5f60b3 33117->33120 33119 5f7d3a 33276 5e2270 RtlAllocateHeap RtlAllocateHeap 33119->33276 33123 6520e0 2 API calls 33120->33123 33122 5f7d3f 33124 6c47b0 RtlAllocateHeap 33122->33124 33128 5f60dc 33123->33128 33125 5f7d44 33124->33125 33126 6c47b0 RtlAllocateHeap 33125->33126 33127 5f7d49 33126->33127 33129 6c47b0 RtlAllocateHeap 33127->33129 33128->33114 33128->33128 33131 5f6133 33128->33131 33130 5f7d4e 33129->33130 33277 6be4bb 6 API calls std::locale::_Setgloballocale 33130->33277 33133 6520e0 2 API calls 33131->33133 33140 5f615c __fread_nolock 33133->33140 33134 5f7d54 33135 6c47b0 RtlAllocateHeap 33134->33135 33136 5f7d59 33135->33136 33278 5e2270 RtlAllocateHeap RtlAllocateHeap 33136->33278 33138 5f7d5e 33139 6c47b0 RtlAllocateHeap 33138->33139 33141 5f7d81 33139->33141 33142 5e2ae0 2 API calls 33140->33142 33141->33028 33143 5f61dc 33142->33143 33143->33143 33144 5e2ae0 2 API calls 33143->33144 33148 5f6768 std::ios_base::_Ios_base_dtor 33143->33148 33145 5f6259 33144->33145 33146 64a480 2 API calls 33145->33146 33147 5f6273 33146->33147 33154 5f629c std::locale::_Init 33147->33154 33262 6506c0 2 API calls 4 library calls 33147->33262 33148->33148 33149 5e2ae0 2 API calls 33148->33149 33152 5f7b4e std::ios_base::_Ios_base_dtor 33148->33152 33150 5f67e8 33149->33150 33153 64a480 2 API calls 33150->33153 33152->33028 33155 5f6802 33153->33155 33156 6be812 GetSystemTimePreciseAsFileTime 33154->33156 33158 5f682b std::locale::_Init 33155->33158 33264 6506c0 2 API calls 4 library calls 33155->33264 33157 5f62f1 33156->33157 33157->33116 33162 5f62fc __Mtx_unlock 33157->33162 33160 6be812 GetSystemTimePreciseAsFileTime 33158->33160 33161 5f687e 33160->33161 33161->33130 33164 5f6889 __Mtx_unlock 33161->33164 33162->33119 33163 5f63ae 33162->33163 33183 5f6730 std::ios_base::_Ios_base_dtor 33162->33183 33165 6520e0 2 API calls 33163->33165 33166 5e2ae0 2 API calls 33164->33166 33170 5f68cb __Mtx_unlock 33164->33170 33167 5f63d0 33165->33167 33166->33170 33168 5f6403 std::locale::_Init 33167->33168 33263 6506c0 2 API calls 4 library calls 33167->33263 33171 64a480 2 API calls 33168->33171 33170->33134 33172 5f6923 std::ios_base::_Ios_base_dtor 33170->33172 33174 5f64cd std::ios_base::_Ios_base_dtor 33171->33174 33172->33136 33172->33152 33172->33172 33175 5f6a0d 33172->33175 33173 5f65ac std::ios_base::_Ios_base_dtor 33176 64a770 2 API calls 33173->33176 33174->33122 33174->33173 33178 6520e0 2 API calls 33175->33178 33177 5f65df 33176->33177 33179 5ea600 5 API calls 33177->33179 33180 5f6a2f 33178->33180 33185 5f65e4 33179->33185 33181 5f6a5c std::locale::_Init 33180->33181 33265 6506c0 2 API calls 4 library calls 33180->33265 33184 64a480 2 API calls 33181->33184 33183->33127 33183->33148 33188 5f6b2f std::ios_base::_Ios_base_dtor 33184->33188 33185->33125 33185->33183 33185->33185 33186 5f6c2a std::ios_base::_Ios_base_dtor 33187 64a770 2 API calls 33186->33187 33189 5f6c60 33187->33189 33188->33138 33188->33186 33190 5ea600 5 API calls 33189->33190 33194 5f6c65 __fread_nolock 33190->33194 33191 64a770 2 API calls 33192 5f7b49 33191->33192 33193 5ea600 5 API calls 33192->33193 33193->33152 33194->33194 33195 5e2ae0 2 API calls 33194->33195 33230 5f7ab9 std::ios_base::_Ios_base_dtor 33194->33230 33196 5f6de3 33195->33196 33266 64e530 RtlAllocateHeap RtlAllocateHeap std::locale::_Init 33196->33266 33198 5f6e65 33199 64a480 2 API calls 33198->33199 33200 5f6e77 33199->33200 33201 5f6f18 std::locale::_Init 33200->33201 33267 6506c0 2 API calls 4 library calls 33200->33267 33203 64a480 2 API calls 33201->33203 33204 5f6fec 33203->33204 33205 5f7087 std::locale::_Init 33204->33205 33268 6506c0 2 API calls 4 library calls 33204->33268 33207 64a480 2 API calls 33205->33207 33208 5f715d std::ios_base::_Ios_base_dtor 33207->33208 33209 5e2ae0 2 API calls 33208->33209 33210 5f7402 33209->33210 33211 5f5b90 7 API calls 33210->33211 33212 5f7409 33211->33212 33213 5e2ae0 2 API calls 33212->33213 33214 5f74f3 33213->33214 33269 64e530 RtlAllocateHeap RtlAllocateHeap std::locale::_Init 33214->33269 33216 5f7575 33217 64a480 2 API calls 33216->33217 33218 5f7587 33217->33218 33219 5f75fe std::locale::_Init 33218->33219 33270 6506c0 2 API calls 4 library calls 33218->33270 33221 64a480 2 API calls 33219->33221 33222 5f76b9 33221->33222 33223 5f7754 std::locale::_Init 33222->33223 33271 6506c0 2 API calls 4 library calls 33222->33271 33225 64a480 2 API calls 33223->33225 33226 5f7821 std::ios_base::_Ios_base_dtor 33225->33226 33227 5e2ae0 2 API calls 33226->33227 33228 5f7ab2 33227->33228 33229 5f5b90 7 API calls 33228->33229 33229->33230 33230->33191 33231->33032 33232->33035 33233->33039 33243->33056 33244->33076 33248 6bf26a 33245->33248 33249 6bf27b GetSystemTimePreciseAsFileTime 33248->33249 33250 6bec78 33248->33250 33249->33250 33250->33080 33253 6ccf58 33252->33253 33254 6ccf80 33252->33254 33253->33254 33255 6ccf65 33253->33255 33256 6ccf87 33253->33256 33254->33084 33260 6c4723 RtlAllocateHeap __fread_nolock __Getctype 33255->33260 33261 6ccea3 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap __fread_nolock 33256->33261 33259 6ccfbf 33259->33084 33260->33254 33261->33259 33262->33154 33263->33168 33264->33158 33265->33181 33266->33198 33267->33201 33268->33205 33269->33216 33270->33219 33271->33223 33407 5f03fa 12 API calls 2 library calls 33307 5f48e0 16 API calls 33308 5f5498 GetPEB GetPEB GetPEB GetPEB GetPEB 32286 5ea090 32340 6bf290 32286->32340 32288 5ea0c8 32348 5e2ae0 32288->32348 32290 5ea10b 32364 6c5362 32290->32364 32294 5ea1ea std::ios_base::_Ios_base_dtor 32297 5ea1c1 32297->32294 32367 6c47b0 32297->32367 32300 5ea20c 32302 6bf290 std::_Facet_Register RtlAllocateHeap RtlAllocateHeap 32300->32302 32301 6c9136 4 API calls 32303 5ea17c 32301->32303 32304 5ea248 32302->32304 32307 5ea18b 32303->32307 32382 64cf60 32303->32382 32306 5e2ae0 RtlAllocateHeap RtlAllocateHeap 32304->32306 32310 5ea28b 32306->32310 32387 6cdbdf 32307->32387 32312 6c5362 RtlAllocateHeap 32310->32312 32313 5ea2d7 32312->32313 32314 6c9136 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap 32313->32314 32317 5ea34e 32313->32317 32316 5ea2ea 32314->32316 32315 5ea377 std::ios_base::_Ios_base_dtor 32318 6c4eeb SetFilePointerEx RtlAllocateHeap 32316->32318 32317->32315 32320 6c47b0 RtlAllocateHeap 32317->32320 32319 5ea2f0 32318->32319 32321 6c9136 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap 32319->32321 32322 5ea399 32320->32322 32323 5ea2fc 32321->32323 32324 6c5362 RtlAllocateHeap 32322->32324 32325 64cf60 RtlAllocateHeap RtlAllocateHeap 32323->32325 32327 5ea318 32323->32327 32326 5ea3d8 32324->32326 32325->32327 32329 6c9136 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap 32326->32329 32335 5ea3f9 32326->32335 32328 6cdbdf __fread_nolock SetFilePointerEx ReadFile RtlAllocateHeap RtlAllocateHeap 32327->32328 32331 5ea348 32328->32331 32332 5ea3eb 32329->32332 32330 5ea423 std::ios_base::_Ios_base_dtor 32333 6c8be8 SetFilePointerEx FindCloseChangeNotification WriteFile RtlAllocateHeap RtlAllocateHeap 32331->32333 32334 6c4eeb SetFilePointerEx RtlAllocateHeap 32332->32334 32333->32317 32337 5ea3f1 32334->32337 32335->32330 32336 6c47b0 RtlAllocateHeap 32335->32336 32338 5ea439 32336->32338 32339 6c8be8 SetFilePointerEx FindCloseChangeNotification WriteFile RtlAllocateHeap RtlAllocateHeap 32337->32339 32339->32335 32343 6bf295 std::_Facet_Register 32340->32343 32342 6bf2af 32342->32288 32343->32342 32345 5e21d0 Concurrency::cancel_current_task 32343->32345 32396 6cdf2c 32343->32396 32344 6bf2bb 32344->32344 32345->32344 32402 6c0651 RtlAllocateHeap RtlAllocateHeap ___std_exception_destroy ___std_exception_copy 32345->32402 32347 5e2213 32347->32288 32349 5e2ba5 32348->32349 32355 5e2af6 32348->32355 32404 5e2270 RtlAllocateHeap RtlAllocateHeap 32349->32404 32350 5e2b02 std::locale::_Init 32350->32290 32352 5e2b2a 32356 6bf290 std::_Facet_Register 2 API calls 32352->32356 32353 5e2baa 32405 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32353->32405 32355->32350 32355->32352 32358 5e2b6e 32355->32358 32359 5e2b65 32355->32359 32357 5e2b3d 32356->32357 32360 6c47b0 RtlAllocateHeap 32357->32360 32363 5e2b46 std::locale::_Init 32357->32363 32361 6bf290 std::_Facet_Register 2 API calls 32358->32361 32358->32363 32359->32352 32359->32353 32362 5e2bb4 32360->32362 32361->32363 32363->32290 32406 6c52a0 32364->32406 32366 5ea157 32366->32297 32370 6c9136 32366->32370 32439 6c46ec RtlAllocateHeap __fread_nolock 32367->32439 32369 6c47bf __Getctype 32371 6c9149 __fread_nolock 32370->32371 32440 6c8e8d 32371->32440 32373 6c915e 32447 6c44dc 32373->32447 32376 6c4eeb 32377 6c4efe __fread_nolock 32376->32377 32553 6c4801 32377->32553 32379 6c4f0a 32380 6c44dc __fread_nolock RtlAllocateHeap 32379->32380 32381 5ea170 32380->32381 32381->32301 32383 64cfa7 32382->32383 32386 64cf78 __fread_nolock 32382->32386 32591 650560 32383->32591 32385 64cfba 32385->32307 32386->32307 32608 6cdbfc 32387->32608 32389 5ea1bb 32390 6c8be8 32389->32390 32391 6c8bfb __fread_nolock 32390->32391 32717 6c8ac3 32391->32717 32393 6c8c07 32394 6c44dc __fread_nolock RtlAllocateHeap 32393->32394 32395 6c8c13 32394->32395 32395->32297 32401 6d6e2d __dosmaperr std::_Facet_Register 32396->32401 32397 6d6e6b 32403 6cd23f RtlAllocateHeap __dosmaperr 32397->32403 32399 6d6e56 RtlAllocateHeap 32400 6d6e69 32399->32400 32399->32401 32400->32343 32401->32397 32401->32399 32402->32347 32403->32400 32405->32357 32409 6c52ac __fread_nolock 32406->32409 32407 6c52b3 32424 6cd23f RtlAllocateHeap __dosmaperr 32407->32424 32409->32407 32411 6c52d3 32409->32411 32410 6c52b8 32425 6c47a0 RtlAllocateHeap __fread_nolock 32410->32425 32413 6c52d8 32411->32413 32414 6c52e5 32411->32414 32426 6cd23f RtlAllocateHeap __dosmaperr 32413->32426 32420 6d6688 32414->32420 32417 6c52ee 32419 6c52c3 32417->32419 32427 6cd23f RtlAllocateHeap __dosmaperr 32417->32427 32419->32366 32421 6d6694 __fread_nolock std::_Lockit::_Lockit 32420->32421 32428 6d672c 32421->32428 32423 6d66af 32423->32417 32424->32410 32425->32419 32426->32419 32427->32419 32429 6d674f __fread_nolock 32428->32429 32433 6d6795 __fread_nolock 32429->32433 32434 6d63f3 32429->32434 32431 6d67b0 32438 6d6db3 RtlAllocateHeap __dosmaperr 32431->32438 32433->32423 32435 6d6400 __dosmaperr std::_Facet_Register 32434->32435 32436 6d642b RtlAllocateHeap 32435->32436 32437 6d643e __dosmaperr 32435->32437 32436->32435 32436->32437 32437->32431 32438->32433 32439->32369 32441 6c8e99 __fread_nolock 32440->32441 32442 6c8e9f 32441->32442 32444 6c8ee2 __fread_nolock 32441->32444 32462 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32442->32462 32453 6c9010 32444->32453 32446 6c8eba 32446->32373 32448 6c44e8 32447->32448 32449 6c44ff 32448->32449 32551 6c4587 RtlAllocateHeap __fread_nolock __Getctype 32448->32551 32451 5ea16a 32449->32451 32552 6c4587 RtlAllocateHeap __fread_nolock __Getctype 32449->32552 32451->32376 32454 6c9036 32453->32454 32455 6c9023 32453->32455 32463 6c8f37 32454->32463 32455->32446 32457 6c9059 32461 6c90e7 32457->32461 32467 6c55d3 32457->32467 32461->32446 32462->32446 32464 6c8fa0 32463->32464 32465 6c8f48 32463->32465 32464->32457 32465->32464 32476 6ce13d SetFilePointerEx RtlAllocateHeap __fread_nolock 32465->32476 32468 6c55ec 32467->32468 32469 6c5613 32467->32469 32468->32469 32477 6d5f82 32468->32477 32473 6ce17d 32469->32473 32471 6c5608 32484 6d538b 32471->32484 32528 6ce05c 32473->32528 32475 6ce196 32475->32461 32476->32464 32478 6d5f8e 32477->32478 32479 6d5fa3 32477->32479 32491 6cd23f RtlAllocateHeap __dosmaperr 32478->32491 32479->32471 32481 6d5f93 32492 6c47a0 RtlAllocateHeap __fread_nolock 32481->32492 32483 6d5f9e 32483->32471 32485 6d5397 __fread_nolock 32484->32485 32486 6d53d8 32485->32486 32488 6d541e 32485->32488 32490 6d539f 32485->32490 32507 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32486->32507 32488->32490 32493 6d549c 32488->32493 32490->32469 32491->32481 32492->32483 32496 6d54c4 32493->32496 32506 6d54e7 __fread_nolock 32493->32506 32494 6d54c8 32513 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32494->32513 32496->32494 32497 6d5523 32496->32497 32498 6d5541 32497->32498 32500 6ce17d 2 API calls 32497->32500 32508 6d4fe1 32498->32508 32500->32498 32502 6d5559 32502->32506 32514 6d4bb2 RtlAllocateHeap RtlAllocateHeap std::locale::_Init std::_Locinfo::_Locinfo_ctor _ValidateLocalCookies 32502->32514 32503 6d55a0 32504 6d5609 WriteFile 32503->32504 32503->32506 32504->32506 32506->32490 32507->32490 32515 6e0d44 32508->32515 32510 6d4ff3 32511 6d5021 32510->32511 32524 6c9d10 RtlAllocateHeap RtlAllocateHeap __fread_nolock std::_Locinfo::_Locinfo_ctor 32510->32524 32511->32502 32511->32503 32513->32506 32514->32506 32516 6e0d5e 32515->32516 32517 6e0d51 32515->32517 32520 6e0d6a 32516->32520 32526 6cd23f RtlAllocateHeap __dosmaperr 32516->32526 32525 6cd23f RtlAllocateHeap __dosmaperr 32517->32525 32519 6e0d56 32519->32510 32520->32510 32522 6e0d8b 32527 6c47a0 RtlAllocateHeap __fread_nolock 32522->32527 32524->32511 32525->32519 32526->32522 32527->32519 32533 6da6de 32528->32533 32530 6ce06e 32531 6ce08a SetFilePointerEx 32530->32531 32532 6ce076 __fread_nolock 32530->32532 32531->32532 32532->32475 32534 6da6eb 32533->32534 32535 6da700 32533->32535 32546 6cd22c RtlAllocateHeap __dosmaperr 32534->32546 32540 6da725 32535->32540 32548 6cd22c RtlAllocateHeap __dosmaperr 32535->32548 32537 6da6f0 32547 6cd23f RtlAllocateHeap __dosmaperr 32537->32547 32540->32530 32541 6da730 32549 6cd23f RtlAllocateHeap __dosmaperr 32541->32549 32542 6da6f8 32542->32530 32544 6da738 32550 6c47a0 RtlAllocateHeap __fread_nolock 32544->32550 32546->32537 32547->32542 32548->32541 32549->32544 32550->32542 32551->32449 32552->32451 32554 6c480d __fread_nolock 32553->32554 32555 6c4814 32554->32555 32556 6c4835 __fread_nolock 32554->32556 32563 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32555->32563 32560 6c4910 32556->32560 32559 6c482d 32559->32379 32564 6c4942 32560->32564 32562 6c4922 32562->32559 32563->32559 32565 6c4979 32564->32565 32566 6c4951 32564->32566 32567 6d5f82 __fread_nolock RtlAllocateHeap 32565->32567 32580 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32566->32580 32569 6c4982 32567->32569 32577 6ce11f 32569->32577 32572 6c4a2c 32581 6c4cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 32572->32581 32574 6c4a43 32576 6c496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32574->32576 32582 6c4ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 32574->32582 32576->32562 32583 6cdf37 32577->32583 32579 6c49a0 32579->32572 32579->32574 32579->32576 32580->32576 32581->32576 32582->32576 32585 6cdf43 __fread_nolock 32583->32585 32584 6cdf4b 32584->32579 32585->32584 32586 6cdf86 32585->32586 32588 6cdfcc 32585->32588 32590 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32586->32590 32588->32584 32589 6ce05c __fread_nolock 2 API calls 32588->32589 32589->32584 32590->32584 32592 6506a9 32591->32592 32596 650585 32591->32596 32606 5e2270 RtlAllocateHeap RtlAllocateHeap 32592->32606 32594 6506ae 32607 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32594->32607 32599 6505f0 32596->32599 32600 6505e3 32596->32600 32602 65059a 32596->32602 32597 6bf290 std::_Facet_Register 2 API calls 32598 6505aa __fread_nolock std::locale::_Init 32597->32598 32601 6c47b0 RtlAllocateHeap 32598->32601 32605 650667 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Init 32598->32605 32599->32598 32603 6bf290 std::_Facet_Register 2 API calls 32599->32603 32600->32594 32600->32602 32604 6506b8 32601->32604 32602->32597 32603->32598 32605->32385 32607->32598 32609 6cdc08 __fread_nolock 32608->32609 32610 6cdc1b __fread_nolock 32609->32610 32611 6cdc52 __fread_nolock 32609->32611 32616 6cdc40 __fread_nolock 32609->32616 32630 6cd23f RtlAllocateHeap __dosmaperr 32610->32630 32617 6cda06 32611->32617 32613 6cdc35 32631 6c47a0 RtlAllocateHeap __fread_nolock 32613->32631 32616->32389 32620 6cda18 __fread_nolock 32617->32620 32622 6cda35 32617->32622 32618 6cda25 32691 6cd23f RtlAllocateHeap __dosmaperr 32618->32691 32620->32618 32620->32622 32627 6cda76 __fread_nolock 32620->32627 32622->32616 32623 6cdba1 __fread_nolock 32694 6cd23f RtlAllocateHeap __dosmaperr 32623->32694 32625 6d5f82 __fread_nolock RtlAllocateHeap 32625->32627 32627->32622 32627->32623 32627->32625 32632 6d4623 32627->32632 32693 6c8a2b RtlAllocateHeap __fread_nolock __dosmaperr std::locale::_Init 32627->32693 32628 6cda2a 32692 6c47a0 RtlAllocateHeap __fread_nolock 32628->32692 32630->32613 32631->32616 32633 6d4635 32632->32633 32636 6d464d 32632->32636 32695 6cd22c RtlAllocateHeap __dosmaperr 32633->32695 32635 6d498f 32714 6cd22c RtlAllocateHeap __dosmaperr 32635->32714 32636->32635 32640 6d4690 32636->32640 32637 6d463a 32696 6cd23f RtlAllocateHeap __dosmaperr 32637->32696 32642 6d469b 32640->32642 32646 6d4642 32640->32646 32648 6d46cb 32640->32648 32641 6d4994 32715 6cd23f RtlAllocateHeap __dosmaperr 32641->32715 32697 6cd22c RtlAllocateHeap __dosmaperr 32642->32697 32645 6d46a8 32716 6c47a0 RtlAllocateHeap __fread_nolock 32645->32716 32646->32627 32647 6d46a0 32698 6cd23f RtlAllocateHeap __dosmaperr 32647->32698 32651 6d46e4 32648->32651 32652 6d471f 32648->32652 32653 6d46f1 32648->32653 32651->32653 32657 6d470d 32651->32657 32702 6d6e2d RtlAllocateHeap RtlAllocateHeap __dosmaperr std::_Facet_Register 32652->32702 32699 6cd22c RtlAllocateHeap __dosmaperr 32653->32699 32656 6d46f6 32700 6cd23f RtlAllocateHeap __dosmaperr 32656->32700 32660 6e0d44 __fread_nolock RtlAllocateHeap 32657->32660 32658 6d4730 32703 6d6db3 RtlAllocateHeap __dosmaperr 32658->32703 32676 6d486b 32660->32676 32662 6d46fd 32701 6c47a0 RtlAllocateHeap __fread_nolock 32662->32701 32663 6d4739 32704 6d6db3 RtlAllocateHeap __dosmaperr 32663->32704 32666 6d48e3 ReadFile 32668 6d48fb 32666->32668 32669 6d4957 32666->32669 32667 6d4740 32671 6d474a 32667->32671 32672 6d4765 32667->32672 32668->32669 32670 6d48d4 32668->32670 32678 6d48b5 32669->32678 32679 6d4964 32669->32679 32682 6d4937 32670->32682 32683 6d4920 32670->32683 32690 6d4708 __fread_nolock 32670->32690 32705 6cd23f RtlAllocateHeap __dosmaperr 32671->32705 32707 6ce13d SetFilePointerEx RtlAllocateHeap __fread_nolock 32672->32707 32676->32666 32677 6d489b 32676->32677 32677->32670 32677->32678 32678->32690 32708 6cd1e5 RtlAllocateHeap __dosmaperr 32678->32708 32712 6cd23f RtlAllocateHeap __dosmaperr 32679->32712 32680 6d474f 32706 6cd22c RtlAllocateHeap __dosmaperr 32680->32706 32682->32690 32711 6d417b SetFilePointerEx RtlAllocateHeap __fread_nolock 32682->32711 32710 6d4335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 32683->32710 32685 6d4969 32713 6cd22c RtlAllocateHeap __dosmaperr 32685->32713 32709 6d6db3 RtlAllocateHeap __dosmaperr 32690->32709 32691->32628 32692->32622 32693->32627 32694->32628 32695->32637 32696->32646 32697->32647 32698->32645 32699->32656 32700->32662 32701->32690 32702->32658 32703->32663 32704->32667 32705->32680 32706->32690 32707->32657 32708->32690 32709->32646 32710->32690 32711->32690 32712->32685 32713->32690 32714->32641 32715->32645 32716->32646 32718 6c8acf __fread_nolock 32717->32718 32719 6c8ad9 32718->32719 32722 6c8afc __fread_nolock 32718->32722 32738 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32719->32738 32721 6c8af4 32721->32393 32722->32721 32724 6c8b5a 32722->32724 32725 6c8b8a 32724->32725 32726 6c8b67 32724->32726 32728 6c8b82 32725->32728 32729 6c55d3 4 API calls 32725->32729 32750 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32726->32750 32728->32721 32730 6c8ba2 32729->32730 32739 6d6ded 32730->32739 32733 6d5f82 __fread_nolock RtlAllocateHeap 32734 6c8bb6 32733->32734 32743 6d4a3f 32734->32743 32738->32721 32740 6c8baa 32739->32740 32741 6d6e04 32739->32741 32740->32733 32741->32740 32752 6d6db3 RtlAllocateHeap __dosmaperr 32741->32752 32745 6c8bbd 32743->32745 32746 6d4a68 32743->32746 32744 6d4ab7 32757 6c4723 RtlAllocateHeap __fread_nolock __Getctype 32744->32757 32745->32728 32751 6d6db3 RtlAllocateHeap __dosmaperr 32745->32751 32746->32744 32748 6d4a8f 32746->32748 32753 6d49ae 32748->32753 32750->32728 32751->32728 32752->32740 32754 6d49ba __fread_nolock 32753->32754 32756 6d49f9 32754->32756 32758 6d4b12 32754->32758 32756->32745 32757->32745 32759 6da6de __fread_nolock RtlAllocateHeap 32758->32759 32761 6d4b22 32759->32761 32763 6da6de __fread_nolock RtlAllocateHeap 32761->32763 32767 6d4b28 32761->32767 32769 6d4b5a 32761->32769 32762 6da6de __fread_nolock RtlAllocateHeap 32764 6d4b66 FindCloseChangeNotification 32762->32764 32766 6d4b51 32763->32766 32764->32767 32765 6d4b80 __fread_nolock 32765->32756 32768 6da6de __fread_nolock RtlAllocateHeap 32766->32768 32770 6da64d RtlAllocateHeap __dosmaperr 32767->32770 32768->32769 32769->32762 32769->32767 32770->32765 32771 5ea690 32785 6be812 32771->32785 32774 5ea6fe 32788 6be4bb 6 API calls std::locale::_Setgloballocale 32774->32788 32775 5ea6a9 32778 5ea6c9 __Mtx_unlock 32775->32778 32781 5ea6bd GetFileAttributesA 32775->32781 32781->32778 32789 6be5ec 32785->32789 32787 5ea6a2 32787->32774 32787->32775 32790 6be64e 32789->32790 32792 6be614 _ValidateLocalCookies 32789->32792 32790->32792 32795 6bec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 32790->32795 32792->32787 32793 6be6a4 __Xtime_diff_to_millis2 32793->32792 32796 6bec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 32793->32796 32795->32793 32796->32793 33417 5e5f90 6 API calls std::ios_base::_Ios_base_dtor 33313 5f4490 RegOpenKeyExA RegOpenKeyExA RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor 33379 5f6689 9 API calls 4 library calls 33317 5ff880 Sleep RtlAllocateHeap RtlAllocateHeap 33318 5ed892 21 API calls __fread_nolock 33419 5f57b8 GetPEB GetPEB 32797 5eb6a0 32808 5eb6fe __Getctype 32797->32808 32798 5eb80c std::ios_base::_Ios_base_dtor 32799 5eb7e1 32799->32798 32800 6c47b0 RtlAllocateHeap 32799->32800 32803 5eb82c 32800->32803 32801 5eb7d8 32853 6cd7d6 RtlAllocateHeap ___std_exception_destroy 32801->32853 32803->32803 32804 5e2ae0 2 API calls 32803->32804 32805 5eb8d9 RegOpenKeyExA 32804->32805 32810 5eb954 RegQueryValueExA 32805->32810 32813 5eb9e5 32805->32813 32806 5eb7d2 32852 6cd7d6 RtlAllocateHeap ___std_exception_destroy 32806->32852 32808->32799 32808->32801 32808->32806 32808->32808 32851 64a350 2 API calls 4 library calls 32808->32851 32814 5eb9dc RegCloseKey 32810->32814 32815 5eb9b3 32810->32815 32813->32813 32816 5e2ae0 2 API calls 32813->32816 32814->32813 32854 64a350 2 API calls 4 library calls 32815->32854 32817 5eba59 __fread_nolock 32816->32817 32819 5eba6d GetCurrentHwProfileA 32817->32819 32820 5ebaac 32819->32820 32821 5eba81 32819->32821 32822 5ebab4 SetupDiGetClassDevsA 32820->32822 32855 64a350 2 API calls 4 library calls 32821->32855 32823 5ebb0d 32822->32823 32827 5ebadb 32822->32827 32856 5eb1a0 9 API calls ___std_exception_copy 32823->32856 32826 5ebb1b 32826->32827 32828 5ebb5e 32827->32828 32829 5ec141 32827->32829 32857 6520e0 32828->32857 32880 5e2270 RtlAllocateHeap RtlAllocateHeap 32829->32880 32831 5ec146 32833 6c47b0 RtlAllocateHeap 32831->32833 32850 5ec065 std::ios_base::_Ios_base_dtor 32833->32850 32834 5ebb89 32836 5ebbbc std::locale::_Init 32834->32836 32872 6506c0 2 API calls 4 library calls 32834->32872 32835 6c47b0 RtlAllocateHeap 32838 5ec150 32835->32838 32873 64a480 32836->32873 32840 5ebc62 32878 651ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::locale::_Init std::_Facet_Register 32840->32878 32842 5ebcb5 32843 64a480 2 API calls 32842->32843 32844 5ebcc8 32843->32844 32879 651ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::locale::_Init std::_Facet_Register 32844->32879 32846 5ebd2c std::ios_base::_Ios_base_dtor 32846->32831 32847 5ebf0a std::ios_base::_Ios_base_dtor std::locale::_Init 32846->32847 32848 5e2ae0 2 API calls 32847->32848 32848->32850 32849 5ec124 std::ios_base::_Ios_base_dtor 32850->32835 32850->32849 32851->32806 32852->32801 32853->32799 32854->32814 32855->32820 32856->32826 32858 652112 32857->32858 32860 65213d std::locale::_Init 32857->32860 32859 65211f 32858->32859 32861 652162 32858->32861 32862 65216b 32858->32862 32863 6bf290 std::_Facet_Register 2 API calls 32859->32863 32860->32834 32861->32859 32865 6521bc 32861->32865 32862->32860 32867 6bf290 std::_Facet_Register 2 API calls 32862->32867 32864 652132 32863->32864 32864->32860 32868 6c47b0 RtlAllocateHeap 32864->32868 32881 5e21d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 32865->32881 32867->32860 32869 6521c6 32868->32869 32882 6cd7d6 RtlAllocateHeap ___std_exception_destroy 32869->32882 32871 6521e4 std::ios_base::_Ios_base_dtor 32871->32834 32872->32836 32874 64a490 32873->32874 32874->32874 32877 64a4a7 std::locale::_Init 32874->32877 32883 6506c0 2 API calls 4 library calls 32874->32883 32876 64a4e2 32876->32840 32877->32840 32878->32842 32879->32846 32881->32864 32882->32871 32883->32876 32884 5fe0a0 WSAStartup 32885 5fe0d8 32884->32885 32886 5fe1a7 32884->32886 32885->32886 32887 5fe175 socket 32885->32887 32887->32886 32888 5fe18b connect 32887->32888 32888->32886 32889 5fe19d closesocket 32888->32889 32889->32886 32889->32887 33323 5fc0a0 14 API calls std::_Facet_Register 33386 5f3aa0 18 API calls 2 library calls

              Executed Functions

              Function 005F7DC0 Relevance: 19.8, APIs: 7, Strings: 3, Instructions: 2344COMMON
              Download Yara Rule
              APIs
              • GetUserNameA.ADVAPI32(?,00000104,?,?,?), ref: 005F8006
              • GetFileAttributesA.KERNELBASE(?,00000001,?,?,?,?), ref: 005F815D
              • __Mtx_unlock.LIBCPMT ref: 005F8186
              • __Mtx_unlock.LIBCPMT ref: 005F8195
              • GetFileAttributesA.KERNELBASE(?,00000001,?,?,?,?,?,?), ref: 005F8751
              • __Mtx_unlock.LIBCPMT ref: 005F877A
                • Part of subcall function 006506C0: Concurrency::cancel_current_task.LIBCPMT ref: 00650807
              • __Mtx_unlock.LIBCPMT ref: 005F87D7
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile$Concurrency::cancel_current_taskNameUser
              • String ID: +$131$\
              • API String ID: 2365767635-78135455
              • Opcode ID: 698970cc4c780884950580247b462d727b2abcae487bfa1b8f90566b89ee4e7b
              • Instruction ID: 826b65aac78df76d66d4936fbc6d61cbf7f3cfefe4063941b53d12f727e5f205
              • Opcode Fuzzy Hash: 698970cc4c780884950580247b462d727b2abcae487bfa1b8f90566b89ee4e7b
              • Instruction Fuzzy Hash: EB238D709002598FDB28CF68CC84BEEBBB5BF05304F2481EDD509AB282D7759A85CF95
              Function 005F5B90 Relevance: 18.2, APIs: 5, Strings: 4, Instructions: 2429COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: *$131$D$\
              • API String ID: 0-1470618592
              • Opcode ID: 8598f5cabd0a5c41ac84e869a89e2b117a14d8b704c1ba31bb3e614e282f99f3
              • Instruction ID: 4607807d4be3e4c79f82d17451d8add0cfae54ff682f38e034ff6c843e2f0fa2
              • Opcode Fuzzy Hash: 8598f5cabd0a5c41ac84e869a89e2b117a14d8b704c1ba31bb3e614e282f99f3
              • Instruction Fuzzy Hash: DE239D709002588FDB68CF68CC84BEEBBB5BF09304F1441EDD549AB282E7759A85CF95
              Function 005EB6A0 Relevance: 16.6, APIs: 5, Strings: 4, Instructions: 840registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1211 5eb6a0-5eb6fc 1212 5eb6fe-5eb701 1211->1212 1213 5eb704-5eb72d 1211->1213 1212->1213 1215 5eb7e5-5eb7ec 1213->1215 1216 5eb733-5eb743 call 6c50b2 1213->1216 1217 5eb7ee-5eb7fa 1215->1217 1218 5eb816-5eb826 1215->1218 1225 5eb749-5eb75d 1216->1225 1226 5eb7e4 1216->1226 1220 5eb80c-5eb813 call 6bf511 1217->1220 1221 5eb7fc-5eb80a 1217->1221 1220->1218 1221->1220 1223 5eb827-5eb863 call 6c47b0 call 5ea440 1221->1223 1238 5eb86a-5eb87e 1223->1238 1239 5eb865 1223->1239 1232 5eb75f-5eb78c 1225->1232 1233 5eb7db-5eb7e1 call 6cd7d6 1225->1233 1226->1215 1232->1233 1241 5eb78e-5eb79e call 6c50b2 1232->1241 1233->1226 1240 5eb880-5eb88b 1238->1240 1239->1238 1240->1240 1242 5eb88d-5eb8bd 1240->1242 1241->1233 1247 5eb7a0-5eb7b9 1241->1247 1244 5eb8c0-5eb8c5 1242->1244 1244->1244 1246 5eb8c7-5eb921 call 5e2ae0 1244->1246 1251 5eb925-5eb930 1246->1251 1252 5eb7bb-5eb7bd 1247->1252 1253 5eb7d2-5eb7d8 call 6cd7d6 1247->1253 1251->1251 1254 5eb932-5eb94e RegOpenKeyExA 1251->1254 1255 5eb7c0-5eb7c5 1252->1255 1253->1233 1257 5eb954-5eb97d 1254->1257 1258 5eb9e5-5eb9f9 1254->1258 1255->1255 1259 5eb7c7-5eb7cd call 64a350 1255->1259 1262 5eb980-5eb98b 1257->1262 1261 5eba00-5eba0b 1258->1261 1259->1253 1261->1261 1264 5eba0d-5eba3d 1261->1264 1262->1262 1265 5eb98d-5eb9b1 RegQueryValueExA 1262->1265 1266 5eba40-5eba45 1264->1266 1267 5eb9dc-5eb9e0 RegCloseKey 1265->1267 1268 5eb9b3-5eb9bc 1265->1268 1266->1266 1269 5eba47-5eba7f call 5e2ae0 call 6c14f0 GetCurrentHwProfileA 1266->1269 1267->1258 1270 5eb9c0-5eb9c5 1268->1270 1277 5ebaac-5ebad9 call 5eb360 SetupDiGetClassDevsA 1269->1277 1278 5eba81-5eba8a 1269->1278 1270->1270 1272 5eb9c7-5eb9d7 call 64a350 1270->1272 1272->1267 1283 5ebb0d-5ebb1b call 5eb1a0 1277->1283 1284 5ebadb-5ebb0b 1277->1284 1279 5eba90-5eba95 1278->1279 1279->1279 1281 5eba97-5ebaa7 call 64a350 1279->1281 1281->1277 1286 5ebb1e-5ebb3c 1283->1286 1284->1286 1289 5ebb40-5ebb45 1286->1289 1289->1289 1290 5ebb47-5ebb58 1289->1290 1291 5ebb5e-5ebb6b 1290->1291 1292 5ec141 call 5e2270 1290->1292 1294 5ebb6d 1291->1294 1295 5ebb73-5ebb9a call 6520e0 1291->1295 1296 5ec146 call 6c47b0 1292->1296 1294->1295 1301 5ebb9c 1295->1301 1302 5ebba2-5ebbba 1295->1302 1300 5ec14b-5ec167 call 6c47b0 1296->1300 1312 5ec169-5ec16b 1300->1312 1313 5ec182-5ec185 1300->1313 1301->1302 1304 5ebbbc-5ebbce 1302->1304 1305 5ebbf3-5ebc08 call 6506c0 1302->1305 1308 5ebbd6-5ebbf1 call 6c0f70 1304->1308 1309 5ebbd0 1304->1309 1315 5ebc0a-5ebd39 call 64a480 call 651ed0 call 64a480 call 651ed0 1305->1315 1308->1315 1309->1308 1316 5ec170-5ec17c 1312->1316 1326 5ebd6a-5ebd77 1315->1326 1327 5ebd3b-5ebd4a 1315->1327 1316->1316 1318 5ec17e 1316->1318 1318->1313 1330 5ebda8-5ebdcd 1326->1330 1331 5ebd79-5ebd88 1326->1331 1328 5ebd4c-5ebd5a 1327->1328 1329 5ebd60-5ebd67 call 6bf511 1327->1329 1328->1296 1328->1329 1329->1326 1335 5ebdcf-5ebddb 1330->1335 1336 5ebdfb-5ebe05 1330->1336 1333 5ebd9e-5ebda5 call 6bf511 1331->1333 1334 5ebd8a-5ebd98 1331->1334 1333->1330 1334->1296 1334->1333 1341 5ebddd-5ebdeb 1335->1341 1342 5ebdf1-5ebdf8 call 6bf511 1335->1342 1337 5ebe07-5ebe13 1336->1337 1338 5ebe33-5ebe52 1336->1338 1343 5ebe29-5ebe30 call 6bf511 1337->1343 1344 5ebe15-5ebe23 1337->1344 1345 5ebe54-5ebe63 1338->1345 1346 5ebe83-5ebeab 1338->1346 1341->1296 1341->1342 1342->1336 1343->1338 1344->1296 1344->1343 1350 5ebe79-5ebe80 call 6bf511 1345->1350 1351 5ebe65-5ebe73 1345->1351 1352 5ebedc-5ebee6 1346->1352 1353 5ebead-5ebebc 1346->1353 1350->1346 1351->1296 1351->1350 1355 5ebee8-5ebef4 1352->1355 1356 5ebf14-5ebf9b 1352->1356 1359 5ebebe-5ebecc 1353->1359 1360 5ebed2-5ebed9 call 6bf511 1353->1360 1362 5ebf0a-5ebf11 call 6bf511 1355->1362 1363 5ebef6-5ebf04 1355->1363 1364 5ebf9d-5ebfa3 1356->1364 1365 5ebfa6-5ebfab 1356->1365 1359->1296 1359->1360 1360->1352 1362->1356 1363->1296 1363->1362 1364->1365 1369 5ebfad 1365->1369 1370 5ebfd6-5ebfd8 1365->1370 1374 5ebfb2-5ebfce call 665b20 1369->1374 1371 5ebfda-5ebffe call 6c0f70 1370->1371 1372 5ec000 1370->1372 1376 5ec00a-5ec01d call 665980 1371->1376 1372->1376 1382 5ebfd0 1374->1382 1383 5ec01f-5ec02f 1376->1383 1384 5ec030-5ec04f 1376->1384 1382->1370 1383->1384 1385 5ec050-5ec055 1384->1385 1385->1385 1386 5ec057-5ec06e call 5e2ae0 1385->1386 1389 5ec09f-5ec0c3 1386->1389 1390 5ec070-5ec07f 1386->1390 1391 5ec0f8-5ec101 1389->1391 1392 5ec0c5-5ec0d6 1389->1392 1393 5ec095-5ec09c call 6bf511 1390->1393 1394 5ec081-5ec08f 1390->1394 1398 5ec12e-5ec140 1391->1398 1399 5ec103-5ec112 1391->1399 1396 5ec0ee-5ec0f5 call 6bf511 1392->1396 1397 5ec0d8-5ec0e9 1392->1397 1393->1389 1394->1300 1394->1393 1396->1391 1397->1300 1401 5ec0eb 1397->1401 1403 5ec124-5ec12b call 6bf511 1399->1403 1404 5ec114-5ec122 1399->1404 1401->1396 1403->1398 1404->1300 1404->1403
              APIs
              • RegOpenKeyExA.KERNELBASE(80000002,C0D5DDC2,00000000,00020019,00000000,FAF8FCC4,FAF8FCC5), ref: 005EB947
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Open
              • String ID: :$_$_$_
              • API String ID: 71445658-4119709311
              • Opcode ID: 392c2410b4c14f3e4bb990687df2e1fd5808172aafefab5fc9206d059a0459cc
              • Instruction ID: 931ccb8799fc0e960de74f5d4065b441196c4630b41b51edf3e21b3853550c0e
              • Opcode Fuzzy Hash: 392c2410b4c14f3e4bb990687df2e1fd5808172aafefab5fc9206d059a0459cc
              • Instruction Fuzzy Hash: 61729171D002599FEB18CF68CC94BEEBBB6BF45304F1481ADE449AB282D7749A85CF50
              Function 005FE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1408 5fe0a0-5fe0d2 WSAStartup 1409 5fe0d8-5fe102 call 5e6bd0 * 2 1408->1409 1410 5fe1b7-5fe1c0 1408->1410 1415 5fe10e-5fe165 1409->1415 1416 5fe104-5fe108 1409->1416 1418 5fe167-5fe16d 1415->1418 1419 5fe1b1 1415->1419 1416->1410 1416->1415 1420 5fe16f 1418->1420 1421 5fe1c5-5fe1cf 1418->1421 1419->1410 1422 5fe175-5fe189 socket 1420->1422 1421->1419 1427 5fe1d1-5fe1d9 1421->1427 1422->1419 1423 5fe18b-5fe19b connect 1422->1423 1425 5fe19d-5fe1a5 closesocket 1423->1425 1426 5fe1c1 1423->1426 1425->1422 1428 5fe1a7-5fe1ab 1425->1428 1426->1421 1428->1419
              APIs
              • WSAStartup.WS2_32 ref: 005FE0CB
              • socket.WS2_32(?,?,?,?,?,?,00717320,?,?,?,?,?,?), ref: 005FE17F
              • connect.WS2_32(00000000,?,00000000,?,?,?,00717320,?,?,?,?,?,?), ref: 005FE193
              • closesocket.WS2_32(00000000), ref: 005FE19E
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Startupclosesocketconnectsocket
              • String ID:
              • API String ID: 3098855095-0
              • Opcode ID: 9282defdcc649b618e162b627092d5b03f75c6e4733b7bfde1859186feb6374c
              • Instruction ID: b3ebcae118c746845e7b5c7a3a6e93bb26e3bf543a709c9c93aa8bebe3e50caf
              • Opcode Fuzzy Hash: 9282defdcc649b618e162b627092d5b03f75c6e4733b7bfde1859186feb6374c
              • Instruction Fuzzy Hash: 1C31B6716053045BE7209F258849B6BBBE4FBC5764F004F1DF9A4A62E0D33999048B92
              Function 006BF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1429 6bf290-6bf293 1430 6bf2a2-6bf2a5 call 6cdf2c 1429->1430 1432 6bf2aa-6bf2ad 1430->1432 1433 6bf2af-6bf2b0 1432->1433 1434 6bf295-6bf2a0 call 6d17d8 1432->1434 1434->1430 1437 6bf2b1-6bf2b5 1434->1437 1438 6bf2bb 1437->1438 1439 5e21d0-5e2220 call 5e21b0 call 6c0efb call 6c0651 1437->1439 1438->1438
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E220E
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: bc8ceb2c76924f206182f052f298989bd0a343bbd9bcc19d4f57e16a143a29f4
              • Instruction ID: e94f8ef04def47f14dcc88fbf19d73d15d711668984b3a8775314f87b7d1d840
              • Opcode Fuzzy Hash: bc8ceb2c76924f206182f052f298989bd0a343bbd9bcc19d4f57e16a143a29f4
              • Instruction Fuzzy Hash: 5B01207550030DA7CB18AF99DC059D57BDEDA00310F50843DFA18DB651E770E590C794
              Function 005EA690 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1446 5ea690-5ea6a7 call 6be812 1449 5ea6fe-5ea722 call 6be4bb call 6be812 1446->1449 1450 5ea6a9-5ea6ab 1446->1450 1463 5ea73f-5ea745 call 6be4bb 1449->1463 1464 5ea724-5ea73e call 6be823 1449->1464 1452 5ea6ad-5ea6af 1450->1452 1453 5ea6e7 1450->1453 1456 5ea6b2-5ea6b7 1452->1456 1454 5ea6e9-5ea6fd call 6be823 1453->1454 1456->1456 1459 5ea6b9-5ea6bb 1456->1459 1459->1453 1462 5ea6bd-5ea6c7 GetFileAttributesA 1459->1462 1465 5ea6c9-5ea6d2 1462->1465 1466 5ea6e3-5ea6e5 1462->1466 1465->1466 1472 5ea6d4-5ea6d7 1465->1472 1466->1454 1472->1466 1474 5ea6d9-5ea6dc 1472->1474 1474->1466 1475 5ea6de-5ea6e1 1474->1475 1475->1453 1475->1466
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile
              • String ID:
              • API String ID: 1886074773-0
              • Opcode ID: 87ea4ac7bf507aff71a37a562f04a3ff30bbd1200ca6f0c11287343e4a4a29f8
              • Instruction ID: c67b08ecc76a84ee1085e5898f284efbfb2b7d43caef2053dda2b944e1132c74
              • Opcode Fuzzy Hash: 87ea4ac7bf507aff71a37a562f04a3ff30bbd1200ca6f0c11287343e4a4a29f8
              • Instruction Fuzzy Hash: 6E0149E1E401A0229E7C21BA2C464FB6D49985376871D8D26FCD1DB257F44BEE8082E3
              Function 00650560 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1476 650560-65057f 1477 650585-650598 1476->1477 1478 6506a9 call 5e2270 1476->1478 1479 6505c0-6505c8 1477->1479 1480 65059a 1477->1480 1483 6506ae call 5e21d0 1478->1483 1484 6505d1-6505d5 1479->1484 1485 6505ca-6505cf 1479->1485 1482 65059c-6505a1 1480->1482 1486 6505a4-6505a5 call 6bf290 1482->1486 1491 6506b3-6506b8 call 6c47b0 1483->1491 1488 6505d7 1484->1488 1489 6505d9-6505e1 1484->1489 1485->1482 1496 6505aa-6505af 1486->1496 1488->1489 1492 6505f0-6505f2 1489->1492 1493 6505e3-6505e8 1489->1493 1494 6505f4-6505ff call 6bf290 1492->1494 1495 650601 1492->1495 1493->1483 1498 6505ee 1493->1498 1500 650603-650629 1494->1500 1495->1500 1496->1491 1501 6505b5-6505be 1496->1501 1498->1486 1504 650680-6506a6 call 6c0f70 call 6c14f0 1500->1504 1505 65062b-650655 call 6c0f70 call 6c14f0 1500->1505 1501->1500 1514 650657-650665 1505->1514 1515 650669-65067d call 6bf511 1505->1515 1514->1491 1516 650667 1514->1516 1516->1515
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 006506AE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID: 5_
              • API String ID: 118556049-1161999416
              • Opcode ID: 704878a6fb962aec51445f9c7907984ce5d7d965d91800b1a8fb89f3cbd27ced
              • Instruction ID: 621670e01086a16ed09b242363608e4a2a7c6520bd4230c6ee20ac2c4a5d64cb
              • Opcode Fuzzy Hash: 704878a6fb962aec51445f9c7907984ce5d7d965d91800b1a8fb89f3cbd27ced
              • Instruction Fuzzy Hash: C641F672A001149BDB15DF68DD80AAE7BA6EF85311F1401ADFC15DB302EB30DE658BE5
              Function 005EA090 Relevance: 3.3, APIs: 2, Instructions: 342COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1834 5ea090-5ea12b call 6bf290 call 5e2ae0 1839 5ea130-5ea13b 1834->1839 1839->1839 1840 5ea13d-5ea148 1839->1840 1841 5ea14d-5ea15e call 6c5362 1840->1841 1842 5ea14a 1840->1842 1845 5ea1c4-5ea1ca 1841->1845 1846 5ea160-5ea189 call 6c9136 call 6c4eeb call 6c9136 1841->1846 1842->1841 1848 5ea1cc-5ea1d8 1845->1848 1849 5ea1f4-5ea206 1845->1849 1863 5ea19b-5ea1a2 call 64cf60 1846->1863 1864 5ea18b-5ea18f 1846->1864 1851 5ea1ea-5ea1f1 call 6bf511 1848->1851 1852 5ea1da-5ea1e8 1848->1852 1851->1849 1852->1851 1855 5ea207-5ea2ab call 6c47b0 call 6bf290 call 5e2ae0 1852->1855 1874 5ea2b0-5ea2bb 1855->1874 1870 5ea1a7-5ea1ad 1863->1870 1866 5ea193-5ea199 1864->1866 1867 5ea191 1864->1867 1866->1870 1867->1866 1872 5ea1af 1870->1872 1873 5ea1b1-5ea1c1 call 6cdbdf call 6c8be8 1870->1873 1872->1873 1873->1845 1874->1874 1876 5ea2bd-5ea2c8 1874->1876 1878 5ea2cd-5ea2de call 6c5362 1876->1878 1879 5ea2ca 1876->1879 1884 5ea2e0-5ea305 call 6c9136 call 6c4eeb call 6c9136 1878->1884 1885 5ea351-5ea357 1878->1885 1879->1878 1903 5ea30c-5ea316 1884->1903 1904 5ea307 1884->1904 1887 5ea359-5ea365 1885->1887 1888 5ea381-5ea393 1885->1888 1890 5ea377-5ea37e call 6bf511 1887->1890 1891 5ea367-5ea375 1887->1891 1890->1888 1891->1890 1893 5ea394-5ea3ae call 6c47b0 1891->1893 1901 5ea3b0-5ea3bb 1893->1901 1901->1901 1902 5ea3bd-5ea3c8 1901->1902 1905 5ea3cd-5ea3df call 6c5362 1902->1905 1906 5ea3ca 1902->1906 1907 5ea328-5ea32f call 64cf60 1903->1907 1908 5ea318-5ea31c 1903->1908 1904->1903 1915 5ea3fc-5ea403 1905->1915 1916 5ea3e1-5ea3f9 call 6c9136 call 6c4eeb call 6c8be8 1905->1916 1906->1905 1914 5ea334-5ea33a 1907->1914 1910 5ea31e 1908->1910 1911 5ea320-5ea326 1908->1911 1910->1911 1911->1914 1917 5ea33e-5ea349 call 6cdbdf call 6c8be8 1914->1917 1918 5ea33c 1914->1918 1921 5ea42d-5ea433 1915->1921 1922 5ea405-5ea411 1915->1922 1916->1915 1932 5ea34e 1917->1932 1918->1917 1925 5ea423-5ea42a call 6bf511 1922->1925 1926 5ea413-5ea421 1922->1926 1925->1921 1926->1925 1930 5ea434-5ea439 call 6c47b0 1926->1930 1932->1885
              APIs
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: c3b6ebdc6bdc5238eff1670e9f0308f10caecd4dd7de0264fed6f67307a1fac0
              • Instruction ID: fa3e0b59eb018f084bbdd9c798585d0462cabb8994c0ed21eeed4914b4550dfd
              • Opcode Fuzzy Hash: c3b6ebdc6bdc5238eff1670e9f0308f10caecd4dd7de0264fed6f67307a1fac0
              • Instruction Fuzzy Hash: 02B12470900284AFDB18DF69CC49BAEBFE9FF45300F10856DF4459B682D7B4AA41C7A6
              Function 006D4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1938 6d4623-6d4633 1939 6d464d-6d464f 1938->1939 1940 6d4635-6d4648 call 6cd22c call 6cd23f 1938->1940 1942 6d498f-6d499c call 6cd22c call 6cd23f 1939->1942 1943 6d4655-6d465b 1939->1943 1954 6d49a7 1940->1954 1962 6d49a2 call 6c47a0 1942->1962 1943->1942 1945 6d4661-6d468a 1943->1945 1945->1942 1948 6d4690-6d4699 1945->1948 1951 6d469b-6d46ae call 6cd22c call 6cd23f 1948->1951 1952 6d46b3-6d46b5 1948->1952 1951->1962 1957 6d498b-6d498d 1952->1957 1958 6d46bb-6d46bf 1952->1958 1960 6d49aa-6d49ad 1954->1960 1957->1960 1958->1957 1959 6d46c5-6d46c9 1958->1959 1959->1951 1963 6d46cb-6d46e2 1959->1963 1962->1954 1966 6d46e4-6d46e7 1963->1966 1967 6d4717-6d471d 1963->1967 1969 6d470d-6d4715 1966->1969 1970 6d46e9-6d46ef 1966->1970 1971 6d471f-6d4726 1967->1971 1972 6d46f1-6d4708 call 6cd22c call 6cd23f call 6c47a0 1967->1972 1974 6d478a-6d47a9 1969->1974 1970->1969 1970->1972 1975 6d4728 1971->1975 1976 6d472a-6d4748 call 6d6e2d call 6d6db3 * 2 1971->1976 2001 6d48c2 1972->2001 1979 6d47af-6d47bb 1974->1979 1980 6d4865-6d486e call 6e0d44 1974->1980 1975->1976 2006 6d474a-6d4760 call 6cd23f call 6cd22c 1976->2006 2007 6d4765-6d4788 call 6ce13d 1976->2007 1979->1980 1981 6d47c1-6d47c3 1979->1981 1992 6d48df 1980->1992 1993 6d4870-6d4882 1980->1993 1981->1980 1985 6d47c9-6d47ea 1981->1985 1985->1980 1989 6d47ec-6d4802 1985->1989 1989->1980 1994 6d4804-6d4806 1989->1994 1998 6d48e3-6d48f9 ReadFile 1992->1998 1993->1992 1997 6d4884-6d4893 1993->1997 1994->1980 1999 6d4808-6d482b 1994->1999 1997->1992 2016 6d4895-6d4899 1997->2016 2002 6d48fb-6d4901 1998->2002 2003 6d4957-6d4962 1998->2003 1999->1980 2005 6d482d-6d4843 1999->2005 2008 6d48c5-6d48cf call 6d6db3 2001->2008 2002->2003 2004 6d4903 2002->2004 2018 6d497b-6d497e 2003->2018 2019 6d4964-6d4976 call 6cd23f call 6cd22c 2003->2019 2011 6d4906-6d4918 2004->2011 2005->1980 2012 6d4845-6d4847 2005->2012 2006->2001 2007->1974 2008->1960 2011->2008 2020 6d491a-6d491e 2011->2020 2012->1980 2021 6d4849-6d4860 2012->2021 2016->1998 2017 6d489b-6d48b3 2016->2017 2038 6d48b5 2017->2038 2039 6d48d4-6d48dd 2017->2039 2028 6d48bb-6d48c1 call 6cd1e5 2018->2028 2029 6d4984-6d4986 2018->2029 2019->2001 2026 6d4937-6d4944 2020->2026 2027 6d4920-6d4930 call 6d4335 2020->2027 2021->1980 2035 6d4946 call 6d448c 2026->2035 2036 6d4950-6d4955 call 6d417b 2026->2036 2046 6d4933-6d4935 2027->2046 2028->2001 2029->2008 2047 6d494b-6d494e 2035->2047 2036->2047 2038->2028 2039->2011 2046->2008 2047->2046
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1c825a6aac7e6686e4bc2fd37150b3a452aa281e125bd09d457e0e87c7d4fbb5
              • Instruction ID: a13c429f1cafdf9861ded8d5526159d6acd1488c4acbd63ff361199e83d424c4
              • Opcode Fuzzy Hash: 1c825a6aac7e6686e4bc2fd37150b3a452aa281e125bd09d457e0e87c7d4fbb5
              • Instruction Fuzzy Hash: 74B1E170E04245ABDB119FA9D890BBEBBB7EF49300F14415EE544AB382DB74DD42CBA4
              Function 006D549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2292 6d549c-6d54be 2293 6d54c4-6d54c6 2292->2293 2294 6d56b1 2292->2294 2295 6d54c8-6d54e7 call 6c4723 2293->2295 2296 6d54f2-6d5515 2293->2296 2297 6d56b3-6d56b7 2294->2297 2303 6d54ea-6d54ed 2295->2303 2299 6d551b-6d5521 2296->2299 2300 6d5517-6d5519 2296->2300 2299->2295 2302 6d5523-6d5534 2299->2302 2300->2299 2300->2302 2304 6d5547-6d5557 call 6d4fe1 2302->2304 2305 6d5536-6d5544 call 6ce17d 2302->2305 2303->2297 2310 6d5559-6d555f 2304->2310 2311 6d55a0-6d55b2 2304->2311 2305->2304 2312 6d5588-6d559e call 6d4bb2 2310->2312 2313 6d5561-6d5564 2310->2313 2314 6d5609-6d5629 WriteFile 2311->2314 2315 6d55b4-6d55ba 2311->2315 2335 6d5581-6d5583 2312->2335 2316 6d556f-6d557e call 6d4f79 2313->2316 2317 6d5566-6d5569 2313->2317 2319 6d562b-6d5631 2314->2319 2320 6d5634 2314->2320 2321 6d55bc-6d55bf 2315->2321 2322 6d55f5-6d5607 call 6d505e 2315->2322 2316->2335 2317->2316 2323 6d5649-6d564c 2317->2323 2319->2320 2327 6d5637-6d5642 2320->2327 2328 6d55e1-6d55f3 call 6d5222 2321->2328 2329 6d55c1-6d55c4 2321->2329 2343 6d55dc-6d55df 2322->2343 2330 6d564f-6d5651 2323->2330 2337 6d56ac-6d56af 2327->2337 2338 6d5644-6d5647 2327->2338 2328->2343 2329->2330 2331 6d55ca-6d55d7 call 6d5139 2329->2331 2340 6d567f-6d568b 2330->2340 2341 6d5653-6d5658 2330->2341 2331->2343 2335->2327 2337->2297 2338->2323 2346 6d568d-6d5693 2340->2346 2347 6d5695-6d56a7 2340->2347 2344 6d565a-6d566c 2341->2344 2345 6d5671-6d567a call 6cd208 2341->2345 2343->2335 2344->2303 2345->2303 2346->2294 2346->2347 2347->2303
              APIs
              • WriteFile.KERNELBASE(?,00000000,006C9087,?,00000000,00000000,00000000,?,00000000,?,006BE5B1,006C9087,00000000,006BE5B1,?,?), ref: 006D5622
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: e12083f92a3117e4f684bf0f27148b50a467f5280bfe74f551f15d1dcfdd8550
              • Instruction ID: 2386cef9b7b9d5ec5e3b5a51c18e803e71e11760ec1e493f33c1f1aa5c0c510b
              • Opcode Fuzzy Hash: e12083f92a3117e4f684bf0f27148b50a467f5280bfe74f551f15d1dcfdd8550
              • Instruction Fuzzy Hash: 9761CF71D04559AFDF11DFA8D884EEEBBBBAF49304F14014AE801A7755D735DA02CBA0
              Function 006C4942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2350 6c4942-6c494f 2351 6c4979-6c498d call 6d5f82 2350->2351 2352 6c4951-6c4974 call 6c4723 2350->2352 2358 6c498f 2351->2358 2359 6c4992-6c499b call 6ce11f 2351->2359 2357 6c4ae0-6c4ae2 2352->2357 2358->2359 2361 6c49a0-6c49af 2359->2361 2362 6c49bf-6c49c8 2361->2362 2363 6c49b1 2361->2363 2366 6c49dc-6c4a10 2362->2366 2367 6c49ca-6c49d7 2362->2367 2364 6c4a89-6c4a8e 2363->2364 2365 6c49b7-6c49b9 2363->2365 2368 6c4ade-6c4adf 2364->2368 2365->2362 2365->2364 2370 6c4a6d-6c4a79 2366->2370 2371 6c4a12-6c4a1c 2366->2371 2369 6c4adc 2367->2369 2368->2357 2369->2368 2372 6c4a7b-6c4a82 2370->2372 2373 6c4a90-6c4a93 2370->2373 2374 6c4a1e-6c4a2a 2371->2374 2375 6c4a43-6c4a4f 2371->2375 2372->2364 2377 6c4a96-6c4a9e 2373->2377 2374->2375 2378 6c4a2c-6c4a3e call 6c4cae 2374->2378 2375->2373 2376 6c4a51-6c4a6b call 6c4e59 2375->2376 2376->2377 2380 6c4ada 2377->2380 2381 6c4aa0-6c4aa6 2377->2381 2378->2368 2380->2369 2385 6c4abe-6c4ac2 2381->2385 2386 6c4aa8-6c4abc call 6c4ae3 2381->2386 2388 6c4ac4-6c4ad2 call 6e4a10 2385->2388 2389 6c4ad5-6c4ad7 2385->2389 2386->2368 2388->2389 2389->2380
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0a2e1504c5850e8fe20b4dad3baba88650050e5f09559d2454b9620935fc08c7
              • Instruction ID: e3b3f6e926049fb13f97bb333c9eacba9229901be2eae458d2ca1c00716746a6
              • Opcode Fuzzy Hash: 0a2e1504c5850e8fe20b4dad3baba88650050e5f09559d2454b9620935fc08c7
              • Instruction Fuzzy Hash: 8351B570A00108AFDB14CF98C895FBABBB2EF49364F24815DF8499B356D7329E51CB94
              Function 006D4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2393 6d4b12-6d4b26 call 6da6de 2396 6d4b2c-6d4b34 2393->2396 2397 6d4b28-6d4b2a 2393->2397 2399 6d4b3f-6d4b42 2396->2399 2400 6d4b36-6d4b3d 2396->2400 2398 6d4b7a-6d4b9a call 6da64d 2397->2398 2409 6d4bac 2398->2409 2410 6d4b9c-6d4baa call 6cd208 2398->2410 2403 6d4b44-6d4b48 2399->2403 2404 6d4b60-6d4b70 call 6da6de FindCloseChangeNotification 2399->2404 2400->2399 2402 6d4b4a-6d4b5e call 6da6de * 2 2400->2402 2402->2397 2402->2404 2403->2402 2403->2404 2404->2397 2412 6d4b72-6d4b78 2404->2412 2414 6d4bae-6d4bb1 2409->2414 2410->2414 2412->2398
              APIs
              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,006D49F9,00000000,CF830579,00711140,0000000C,006D4AB5,006C8BBD,?), ref: 006D4B69
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 7c506a9bdf78cebb9e0fa72753cb897ec34ce4e911560c7ea630335fc439f6a7
              • Instruction ID: 7081d87a116f1d0c912f2b7fef8d253bf0b6591d68d577c003f73b3eae5f3813
              • Opcode Fuzzy Hash: 7c506a9bdf78cebb9e0fa72753cb897ec34ce4e911560c7ea630335fc439f6a7
              • Instruction Fuzzy Hash: 6E115532E0816457C66022746842BBE674B8BE23B0F39020FE8088B3C2EE74DC418198
              Function 006CE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2419 6ce05c-6ce074 call 6da6de 2422 6ce08a-6ce0a0 SetFilePointerEx 2419->2422 2423 6ce076-6ce07d 2419->2423 2425 6ce0b5-6ce0bf 2422->2425 2426 6ce0a2-6ce0b3 call 6cd208 2422->2426 2424 6ce084-6ce088 2423->2424 2427 6ce0db-6ce0de 2424->2427 2425->2424 2428 6ce0c1-6ce0d6 2425->2428 2426->2424 2428->2427
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00710DF8,006BE5B1,00000002,006BE5B1,00000000,?,?,?,006CE166,00000000,?,006BE5B1,00000002,00710DF8), ref: 006CE099
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: d39fdac817ea6707f1c2d44ab327504007b298c03923ba6622c5d33ac1a1049e
              • Instruction ID: 4b2c4530dd6f5c6cd9de1249e5bd2e9a127e45e5db11dff9d37b4359315f9bff
              • Opcode Fuzzy Hash: d39fdac817ea6707f1c2d44ab327504007b298c03923ba6622c5d33ac1a1049e
              • Instruction Fuzzy Hash: 0F012632714155ABCF15CF18CC05EAE3B2ADB85330B24024DF8509B291FAB2EA618BD0
              Function 006D63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2432 6d63f3-6d63fe 2433 6d640c-6d6412 2432->2433 2434 6d6400-6d640a 2432->2434 2436 6d642b-6d643c RtlAllocateHeap 2433->2436 2437 6d6414-6d6415 2433->2437 2434->2433 2435 6d6440-6d644b call 6cd23f 2434->2435 2441 6d644d-6d644f 2435->2441 2439 6d643e 2436->2439 2440 6d6417-6d641e call 6d3f93 2436->2440 2437->2436 2439->2441 2440->2435 2445 6d6420-6d6429 call 6d17d8 2440->2445 2445->2435 2445->2436
              APIs
              • RtlAllocateHeap.NTDLL(00000008,006BD6FA,00000004,?,006D5D79,00000001,00000364,00000004,00000007,000000FF,?,006C067B,00000002,00000000,?,?), ref: 006D6435
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: dd70c29814824660030c03807416df8c0f2fcd07cfc58b555f5ccd5f486424c2
              • Instruction ID: 16270d57eba96166127d7fa5164fd6c2d49d650dbf805420d65665565d533175
              • Opcode Fuzzy Hash: dd70c29814824660030c03807416df8c0f2fcd07cfc58b555f5ccd5f486424c2
              • Instruction Fuzzy Hash: E4F05431D05224669B616F66DC06B9B3BDB9B85764B15C067FC0496380CBA0E81146F5
              Function 006D6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 2448 6d6e2d-6d6e39 2449 6d6e6b-6d6e76 call 6cd23f 2448->2449 2450 6d6e3b-6d6e3d 2448->2450 2457 6d6e78-6d6e7a 2449->2457 2452 6d6e3f-6d6e40 2450->2452 2453 6d6e56-6d6e67 RtlAllocateHeap 2450->2453 2452->2453 2455 6d6e69 2453->2455 2456 6d6e42-6d6e49 call 6d3f93 2453->2456 2455->2457 2456->2449 2460 6d6e4b-6d6e54 call 6d17d8 2456->2460 2460->2449 2460->2453
              APIs
              • RtlAllocateHeap.NTDLL(00000000,00000004,00000000,?,006C067B,00000002,00000000,?,?,?,005E303D,006BD6FA,00000004,00000000,006BD6FA), ref: 006D6E60
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 21ed96c9941d739d9a3a6a6813b1c64fd9002d149d24ceefd233996655551bda
              • Instruction ID: d5ae9e3cd06139bca7e54e3b72637d2302153c6d613c7d602057d7f6a62a3cb3
              • Opcode Fuzzy Hash: 21ed96c9941d739d9a3a6a6813b1c64fd9002d149d24ceefd233996655551bda
              • Instruction Fuzzy Hash: A7E0ED39D48625A6DA3026A5CC00BEB778FCB823A1F050927FE04963D0CB60C80181E8

              Non-executed Functions

              Function 00663F80 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 263libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 006640CC
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00664116
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 0066414E
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 00664196
              • GetProcAddress.KERNEL32(00000000,DCFDFBC6), ref: 006641E9
              Strings
              • Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36, xrefs: 00664037
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: AddressProc
              • String ID: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
              • API String ID: 190572456-383447037
              • Opcode ID: c320df49a645d4c2508f90a401a709f66bb6b191b03c5bf2132a2f12d390c5a4
              • Instruction ID: 785bcbe4225f46ba508c4485db62e4dbad8d74276a9eb90a5671c12b8630e6d7
              • Opcode Fuzzy Hash: c320df49a645d4c2508f90a401a709f66bb6b191b03c5bf2132a2f12d390c5a4
              • Instruction Fuzzy Hash: 63C14DB08183999FDB04CFA8D495BEDBFF9EF19304F1040AEE845AB252E7744509CB69
              Function 006C84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction ID: 35e5b952324dbe5d5ab8348961ccb54105ad1c26cfab47d5d8da423fd14e921f
              • Opcode Fuzzy Hash: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction Fuzzy Hash: 50020B71E012199FDF24CFA9C880BEEBBB2FF48314F25826DD519A7341DB31A9418B94
              Function 0064F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064F833
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064F855
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064F875
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064F89F
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064F90D
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0064F959
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0064F973
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064FA08
              • std::_Facet_Register.LIBCPMT ref: 0064FA15
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
              • String ID: bad locale name$"p
              • API String ID: 3375549084-3171176342
              • Opcode ID: 7aa2c72839345ba2a3351bdc47133f54cc2a929e7d355cde31e1148d17aec5b7
              • Instruction ID: ce597d6b4fae1cf081d736e30517dd115e594cb7dd165c2c0c0c4dc7372078b9
              • Opcode Fuzzy Hash: 7aa2c72839345ba2a3351bdc47133f54cc2a929e7d355cde31e1148d17aec5b7
              • Instruction Fuzzy Hash: 95617EB1D00248DFEF10DFA8D845BDEBBB6AF14310F148568E805AB381EB75E945CBA5
              Function 005E8D70 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 311libraryloaderCOMMON
              Download Yara Rule
              APIs
              • GetModuleHandleA.KERNEL32(F8F7E6FF,?,?,007156BC), ref: 005E8E0E
              • GetProcAddress.KERNEL32(00000000,E1D7E6DF), ref: 005E8E1B
              • GetModuleHandleA.KERNEL32(F8F7E6FF), ref: 005E8E85
              • GetProcAddress.KERNEL32(00000000,E1C2E6DF), ref: 005E8E8C
              • CloseHandle.KERNEL32(00000000), ref: 005E9092
              • CloseHandle.KERNEL32(00000000), ref: 005E90F4
              • CloseHandle.KERNEL32(00000000), ref: 005E9121
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Handle$Close$AddressModuleProc
              • String ID: File$}Vn$}Vn
              • API String ID: 4110381430-1811535537
              • Opcode ID: d70638dc2a6a635cc957d16cf946a72a1fa66fd67d0beaf1d8f075270a7a3942
              • Instruction ID: 1cd2c346e452ac5b22c90c0b417bca579a0c1b15b7c4db45e036255feb5d2f49
              • Opcode Fuzzy Hash: d70638dc2a6a635cc957d16cf946a72a1fa66fd67d0beaf1d8f075270a7a3942
              • Instruction Fuzzy Hash: FBC18D70D002999BEF24DFA5CC85BAEBBB9FF04300F50406DE944BB282DB759A45CB65
              Function 005E3D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E3E7F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$@3^$G>^$G>^$`!^$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2659868963-3207115525
              • Opcode ID: a1e167198c0edcf480cfa73e5b4090e4a6114dbe965f9ede2e11dfc9446e6166
              • Instruction ID: be67246fe3a6c0bad200ac019c19242625935175ca8ca25768e86609e8068661
              • Opcode Fuzzy Hash: a1e167198c0edcf480cfa73e5b4090e4a6114dbe965f9ede2e11dfc9446e6166
              • Instruction Fuzzy Hash: 9F41B4B2900248AFC708DF59CC49BAEBBF9FF49310F14856EF955D7641E770AA008BA4
              Function 006C2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
              Download Yara Rule
              APIs
              • _ValidateLocalCookies.LIBCMT ref: 006C2E47
              • ___except_validate_context_record.LIBVCRUNTIME ref: 006C2E4F
              • _ValidateLocalCookies.LIBCMT ref: 006C2ED8
              • __IsNonwritableInCurrentImage.LIBCMT ref: 006C2F03
              • _ValidateLocalCookies.LIBCMT ref: 006C2F58
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
              • String ID: iq$csm
              • API String ID: 1170836740-2322788918
              • Opcode ID: a356d2be9958ce262c464a5f1c8514f14c16c0b6e0aaa860930b98369cf78690
              • Instruction ID: a706ce119ac4be38d775afb936fa536409232340db4a5c742e1839363dc8f508
              • Opcode Fuzzy Hash: a356d2be9958ce262c464a5f1c8514f14c16c0b6e0aaa860930b98369cf78690
              • Instruction Fuzzy Hash: EF419134A0020A9BCB10DF68C895FEEBBB6EF49314F14805DEC14AB392D731EA45CB90
              Function 005E3DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E3E7F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$@3^$`!^$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
              • API String ID: 2659868963-535810501
              • Opcode ID: 406dc474efa465bcd219bbc36c74c4635f25b50a54c2cbe85e178bb6006d7667
              • Instruction ID: cb5d984c4f9a2cd1018b0fe4a11a8b2f30a5db11a23a93438b5fa7becf037b56
              • Opcode Fuzzy Hash: 406dc474efa465bcd219bbc36c74c4635f25b50a54c2cbe85e178bb6006d7667
              • Instruction Fuzzy Hash: 1A21EEB3500345ABC718DF59D809F96BBDCBB44310F14887EFA988B641E774E914CB95
              Function 005E6F40 Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 349COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E7340
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$parse error$parse_error$u^
              • API String ID: 2659868963-3588640227
              • Opcode ID: 96e4b53c47f70ecbcfdc5ee9a362f6256be67672fc5c53a38587b8eeb9d9bcb0
              • Instruction ID: 71c7deccd4a6390633cc7c7b46d384c605d062ab9284f6003387e50de9828908
              • Opcode Fuzzy Hash: 96e4b53c47f70ecbcfdc5ee9a362f6256be67672fc5c53a38587b8eeb9d9bcb0
              • Instruction Fuzzy Hash: F5E16D719042488FDB58CF68C884B9DBBB2FF48300F24866DE458EB792D7749A81CF55
              Function 005E7820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E799A
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E7B75
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$out_of_range$type_error
              • API String ID: 2659868963-2822758601
              • Opcode ID: 4019c516f2f82b62e796e75ef782face80c5a8f67f2236dd931311d6cc02e3d0
              • Instruction ID: f090722619b0cb688438224bd3f5902fda0698fa266dfcc2e575e12fe33bf28d
              • Opcode Fuzzy Hash: 4019c516f2f82b62e796e75ef782face80c5a8f67f2236dd931311d6cc02e3d0
              • Instruction Fuzzy Hash: 5FC158B19002489FDB58CFA8D884B9DBBF6FF48300F14866DE459EB792E7749980CB54
              Function 005E73B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E75BE
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E75CD
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: at line $, column $`!^$yo^
              • API String ID: 4194217158-262291558
              • Opcode ID: f389948c6c52c14b67ee78f4fe6b4bfda679fa01324f67328ba931072655488e
              • Instruction ID: 0a013b8861c3c4990ae5cc52710d9ea3714a46b88a47f8fc85044f53f2baf42a
              • Opcode Fuzzy Hash: f389948c6c52c14b67ee78f4fe6b4bfda679fa01324f67328ba931072655488e
              • Instruction Fuzzy Hash: 7E61F571A002499FDB0CCF68DC84BADBBB6FF48300F24462DF455A7782D774AA408B94
              Function 005E39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 005E3A58
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005E3AA4
              • __Getctype.LIBCPMT ref: 005E3ABA
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005E3AE6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 005E3B7B
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
              • String ID: bad locale name
              • API String ID: 1840309910-1405518554
              • Opcode ID: a50f3266298faa2dbf8d77462a04a12d52bd1765b6b7d6918e3402f3316bd8d4
              • Instruction ID: cc21b3653f9bdf4487c2a5149338688b3936f2470c9220968b8795935c4694f2
              • Opcode Fuzzy Hash: a50f3266298faa2dbf8d77462a04a12d52bd1765b6b7d6918e3402f3316bd8d4
              • Instruction Fuzzy Hash: DF518FB1D002489BEF14DFA5D885BDEBBB8BF14310F14406DE849AB381E775DA44CBA5
              Function 005EB1A0 Relevance: 10.6, APIs: 7, Instructions: 133memoryCOMMON
              Download Yara Rule
              APIs
              • LocalAlloc.KERNEL32(00000040,0000001C), ref: 005EB1F0
              • LocalAlloc.KERNEL32(00000040,0000001C,?,00000000,00000000), ref: 005EB239
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,?,00000000), ref: 005EB26D
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,?,00000000,00000000), ref: 005EB28F
              • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000), ref: 005EB2C0
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 005EB2C5
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 005EB2C8
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Local$Free$AllocDetailDeviceInterfaceSetup
              • String ID:
              • API String ID: 4232148138-0
              • Opcode ID: d1c9b4f887084d51ca7e659bf52d208bc36596985cfe7887dfc9ce3f2acae87a
              • Instruction ID: d7ce2470db9ac936b1682fe3b3286ce58d298316d030d0f081534b09bf3bb9ff
              • Opcode Fuzzy Hash: d1c9b4f887084d51ca7e659bf52d208bc36596985cfe7887dfc9ce3f2acae87a
              • Instruction Fuzzy Hash: EE413AB5A40349AFDB60DFA9DC41BAEBBF9FF48700F10452AE559E7690E770A9008B50
              Function 006CD513 Relevance: 9.3, APIs: 6, Instructions: 285COMMON
              Download Yara Rule
              APIs
              • __allrem.LIBCMT ref: 006CD69B
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006CD6B7
              • __allrem.LIBCMT ref: 006CD6CE
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006CD6EC
              • __allrem.LIBCMT ref: 006CD703
              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006CD721
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
              • String ID:
              • API String ID: 1992179935-0
              • Opcode ID: 7222d4fbd83bf911f66e88245ad854337fd27cd591c1530f5d5dc897f2461532
              • Instruction ID: 48a856060aff5c9cfbb3f85407cc616c122fa544787b4e28f7136243ed06ba6f
              • Opcode Fuzzy Hash: 7222d4fbd83bf911f66e88245ad854337fd27cd591c1530f5d5dc897f2461532
              • Instruction Fuzzy Hash: 7E81B4B2A00705ABD720AA69DC41FBA73EBEF41724F24463EF415D7781EB74D9008BA4
              Function 0064DE70 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064DE93
              • std::_Lockit::_Lockit.LIBCPMT ref: 0064DEB6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064DED6
              • std::_Facet_Register.LIBCPMT ref: 0064DF4B
              • std::_Lockit::~_Lockit.LIBCPMT ref: 0064DF63
              • Concurrency::cancel_current_task.LIBCPMT ref: 0064DF7B
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
              • String ID:
              • API String ID: 2081738530-0
              • Opcode ID: 4ed6bffd0b78159ff407af31dbd954671e8a6a5e5303b1d9258154c91553364c
              • Instruction ID: ad128decd795e6f4fb8bb067ab2e4cd2f2b68e7507bb84957efef601b003deb0
              • Opcode Fuzzy Hash: 4ed6bffd0b78159ff407af31dbd954671e8a6a5e5303b1d9258154c91553364c
              • Instruction Fuzzy Hash: 1A31EFB1D00256DFCB64DF48D880AEEBBB6FB00720F148299E8166B392D731AD45CBD5
              Function 005E4C50 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 345COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E4F72
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E4FFF
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: ", "$: "$`!^
              • API String ID: 4194217158-1246380630
              • Opcode ID: 469bfa3249d7d0d453234af32832c2024593ae1d1879c7a3f5db4ad7cb7ecb15
              • Instruction ID: 9d4ecd15a9fb4cb3803a870d02549764480b424ce4b5c487b1776da080fb8fa0
              • Opcode Fuzzy Hash: 469bfa3249d7d0d453234af32832c2024593ae1d1879c7a3f5db4ad7cb7ecb15
              • Instruction Fuzzy Hash: D1C1F2719002448FDB28DF69C885BAEBBFAFF44300F14492DE49697782E774A944CBA5
              Function 005EA750 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 272COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: \*.*
              • API String ID: 0-1173974218
              • Opcode ID: f9d33ad8415a2213b6c63c4fafee7cfd17aff15e67ec92f13b5557ef2d0240b6
              • Instruction ID: c970ecd9929ef75b8097d8b7739a4bd0ab55f1925b006fc35dbdcb5d1241d3bb
              • Opcode Fuzzy Hash: f9d33ad8415a2213b6c63c4fafee7cfd17aff15e67ec92f13b5557ef2d0240b6
              • Instruction Fuzzy Hash: BBA1C2709002899FDB18DFB9C9947EEBFB6FF48310F104529E491E7282D770A985CB66
              Function 005E3190 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E32C6
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E3350
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy___std_exception_destroy
              • String ID: @3^$`!^$`!^
              • API String ID: 2970364248-1577654005
              • Opcode ID: d109883bd55ba2f7dfcc1521371c8576c4f4afe41f0e331bad2ed7a73cb87214
              • Instruction ID: 422a81c6e04e715ea09989a2445efeb52ca69406a98966cbd1387b5847a8e03f
              • Opcode Fuzzy Hash: d109883bd55ba2f7dfcc1521371c8576c4f4afe41f0e331bad2ed7a73cb87214
              • Instruction Fuzzy Hash: 7C519C759002589FDB18CF98D889BEEBBB6FF48300F14812EE855A7392D7749A41CB94
              Function 005E3370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 005E3190: ___std_exception_copy.LIBVCRUNTIME ref: 005E32C6
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E345F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: +4^$@3^$@3^$`!^
              • API String ID: 2659868963-1877915259
              • Opcode ID: 1112750ba11c832e4ee43f4b265f4be5aa83058f2b7514e55cd3bba508bf219e
              • Instruction ID: eefbd888b26400e8744f0fd53b75aee4a205a8e466fe3fc9906cff9e993418c0
              • Opcode Fuzzy Hash: 1112750ba11c832e4ee43f4b265f4be5aa83058f2b7514e55cd3bba508bf219e
              • Instruction Fuzzy Hash: 9031A2B29002499FCB18DFA9D845AAEFFF9FB48710F10852EE514D7641E770A650CB94
              Function 005E3410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E345F
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: +4^$@3^$@3^$`!^
              • API String ID: 2659868963-1877915259
              • Opcode ID: fa909f59a189929e4be73e45fe020132d58692f46218755354ced847ba4093e8
              • Instruction ID: d410605c97ee4df992438e68a59f24d2a626607e28a96a9b5ffaa829754c472b
              • Opcode Fuzzy Hash: fa909f59a189929e4be73e45fe020132d58692f46218755354ced847ba4093e8
              • Instruction Fuzzy Hash: D901FFB650030AAF8708DFA9D445C96FBFDFF58710710846AE51987611EBB0E554CB94
              Function 0064D050 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 0064D06F
              • ___std_exception_copy.LIBVCRUNTIME ref: 0064D096
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$u^
              • API String ID: 2659868963-2492332708
              • Opcode ID: dd1def0ff16d497944d201b012077c8bc6c966005e92632583c57d8a32d5e22e
              • Instruction ID: 9cad35764ec978474cc63aabc3895d499ff1912013720ef161d5ab616e6513b9
              • Opcode Fuzzy Hash: dd1def0ff16d497944d201b012077c8bc6c966005e92632583c57d8a32d5e22e
              • Instruction Fuzzy Hash: C001A4B6501706AF8704DF59D405892FBF9FB58710701852FE529CBB11E7B0E528CFA4
              Function 005F3AA0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 383COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID: \$abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ$hrq
              • API String ID: 0-287274543
              • Opcode ID: 68b3c1ad0263c76e692203be0ddc8fd00ed17c820e6a7b032293c7dbfbc7d1a7
              • Instruction ID: 6cd96ae5b6b8a3ae90dd9c6afe2321c2d6dcd10e25c22f7f51e6560d0b06de20
              • Opcode Fuzzy Hash: 68b3c1ad0263c76e692203be0ddc8fd00ed17c820e6a7b032293c7dbfbc7d1a7
              • Instruction Fuzzy Hash: 37E1A271D002499FEB08CFA8C8857EDBBB5FF44300F14826DE515AB382D7799A85CBA0
              Function 005E6C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E6F11
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E6F20
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: [json.exception.$`!^
              • API String ID: 4194217158-1084409180
              • Opcode ID: a240104034051146a43101b4de89cd38ced386b663d615c1b35dc24524215f6e
              • Instruction ID: bbb90b0123d943d23f9c415c546ff84419f8fc23d1c2dace56f9b3acc5ea2c56
              • Opcode Fuzzy Hash: a240104034051146a43101b4de89cd38ced386b663d615c1b35dc24524215f6e
              • Instruction Fuzzy Hash: D091D271A002449FDB1CCF68C984B9EBBF6FF54340F20866CE459AB792D770AA81CB50
              Function 005EAF30 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • GetSystemMetrics.USER32(00000001), ref: 005EAF8A
              • GetSystemMetrics.USER32(00000000), ref: 005EAF90
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: MetricsSystem
              • String ID: d$image/png
              • API String ID: 4116985748-2616758285
              • Opcode ID: 81da90dbcc8a9ae671d21dc1fccd5ab38a7571a9179c13cf4e327eeac9cf514a
              • Instruction ID: 1f34a4185c481c2dc0292b08acb79854823dd51b98179627658b5493116c9792
              • Opcode Fuzzy Hash: 81da90dbcc8a9ae671d21dc1fccd5ab38a7571a9179c13cf4e327eeac9cf514a
              • Instruction Fuzzy Hash: E0518CB1504341AFE710DF21C898B6BBBE9FB85754F001D2DF89493240E772E904CB96
              Function 005E7620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E77B4
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$invalid_iterator
              • API String ID: 2659868963-3096502865
              • Opcode ID: e2b525b3f60da3140a54e3b89b91dbedebeddaf82b38193110b0270113e0605c
              • Instruction ID: 12db1614c9155171e14a524e4480d4f71ea3cb89d4b7682171ffbde780990e6d
              • Opcode Fuzzy Hash: e2b525b3f60da3140a54e3b89b91dbedebeddaf82b38193110b0270113e0605c
              • Instruction Fuzzy Hash: 5A5137B19002489FDB18CFA8D89479DBBF2FB48300F14866DE459EB792E7749980CB94
              Function 005E7BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E7D67
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^$other_error
              • API String ID: 2659868963-1867354975
              • Opcode ID: 64f2e1ef643a0f219b63c7a361f7631c67473ab4040686a1bb382d24e542735e
              • Instruction ID: 24e2cddd822ee45c3d9c62cf711e43237ce016351bda87547be3f2fd56f288df
              • Opcode Fuzzy Hash: 64f2e1ef643a0f219b63c7a361f7631c67473ab4040686a1bb382d24e542735e
              • Instruction Fuzzy Hash: E15158B19002488FDB58CFA8D9847ADBFF2FF48300F248669E459EB792D7749980CB54
              Function 005E5010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E50C8
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$`!^$recursive_directory_iterator::operator++
              • API String ID: 2659868963-2947506004
              • Opcode ID: 602214e5c16e4ae5fe36ca4731e25ca0b231a9e1f98745487a08a72beda30e0d
              • Instruction ID: db2d5d4aa9b76bfb5d077e86ffe0bcb1f1c93c93afae811a5074a7b9f8a75a8f
              • Opcode Fuzzy Hash: 602214e5c16e4ae5fe36ca4731e25ca0b231a9e1f98745487a08a72beda30e0d
              • Instruction Fuzzy Hash: CB319EB6800649EFC714DF55D845F8ABBF8FB08710F008669E95693A81EB74BA14CBA1
              Function 0065B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 0065B3DF
              • ___std_exception_copy.LIBVCRUNTIME ref: 0065B406
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: a02bca74e933e18426cce351e423eacf0e101129276786fca458bcced44c9a42
              • Instruction ID: 527a71d48f8d06e7ab8c1c285c1780f9dc0c61626dfd0144042a829860cabb11
              • Opcode Fuzzy Hash: a02bca74e933e18426cce351e423eacf0e101129276786fca458bcced44c9a42
              • Instruction Fuzzy Hash: EFF0C4B6501706AF8708DF59D405896FBE9FA54710301853FE52ACBB01E7B0E528CFA4
              Function 005ED8B9 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 377COMMON
              Download Yara Rule
              APIs
              • Process32Next.KERNEL32(00000000,00000128), ref: 005EDAB0
              • Process32Next.KERNEL32(00000000,?), ref: 005EDAF8
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: NextProcess32
              • String ID: ?
              • API String ID: 1850201408-1684325040
              • Opcode ID: 1bc63751e1ca1fba439003deb85e9aff2efa1b94880a0d0fb59aefc719522ac9
              • Instruction ID: bebe3b675947c7d5d3a9a3a3cc50d05ae40ff39f707da84060058e0f118b2c69
              • Opcode Fuzzy Hash: 1bc63751e1ca1fba439003deb85e9aff2efa1b94880a0d0fb59aefc719522ac9
              • Instruction Fuzzy Hash: EDF15BB1D0526D9ADB64EB90CC45BEEBBBDFF14300F4004D9E549A6242EB705B88CF66
              Function 0065A520 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 234COMMON
              Download Yara Rule
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 0065A656
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID: pected $unexpected
              • API String ID: 118556049-356062554
              • Opcode ID: a488096d346ddb20ad401a233e08d86b5c368dbbab1f4f7ebdf35b9828553d39
              • Instruction ID: 0cd099f2818222909a93f3ca8f3b833819512eae79f383cef40d639561c3fcd8
              • Opcode Fuzzy Hash: a488096d346ddb20ad401a233e08d86b5c368dbbab1f4f7ebdf35b9828553d39
              • Instruction Fuzzy Hash: 735114725001109FD728DF68DC84AAAB7A7EF84311F64476DFC168B346EB30ED898795
              Function 005E3490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E34AF
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3^$`!^
              • API String ID: 2659868963-3143709943
              • Opcode ID: 1b8929309b989fd906d0b46a1a3df98cffa5b782f2ef3e10fe8a1e5ee489c443
              • Instruction ID: 810cbffb39fb53598f407c9d7f8b2259fe49039fe2a5ee4bfb632c087bf9d5ad
              • Opcode Fuzzy Hash: 1b8929309b989fd906d0b46a1a3df98cffa5b782f2ef3e10fe8a1e5ee489c443
              • Instruction Fuzzy Hash: D3F0A5B6604705AF8708CF5AD401896FBE9FB99710315853FE529C7B00E7B0E5248BA4
              Function 005E3050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E3078
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: 380b2eabaced5ce806821a513ae90f975fd8139c557d6744c0c5c56a205fc9de
              • Instruction ID: b08afc3fbc825b5a607e2ca7b68de38c7852650a7e8d0dd1c9b3275b641124b0
              • Opcode Fuzzy Hash: 380b2eabaced5ce806821a513ae90f975fd8139c557d6744c0c5c56a205fc9de
              • Instruction Fuzzy Hash: 39E0EDB69113489BC710DFA9980598AFFE8AB29701F0086AAE948D7201F6B195548BD5
              Function 005E75E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E75F1
              • ___std_exception_destroy.LIBVCRUNTIME ref: 005E7600
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: `!^
              • API String ID: 4194217158-3084548898
              • Opcode ID: 6af2f6ca4a4222366114cc7910663b7b92fdd21c539ed3f4db77e6fd6beeb2fc
              • Instruction ID: ead81c73ef6245ed0f0bd59481c2749a48a8668d09b306ac10864bfc8ba96a36
              • Opcode Fuzzy Hash: 6af2f6ca4a4222366114cc7910663b7b92fdd21c539ed3f4db77e6fd6beeb2fc
              • Instruction Fuzzy Hash: D2E086F250075853C720AF559C09F9ABADD9F35705F04483EF95492701E7B1E65883E9
              Function 005E3090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E30AE
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: e84b3075c86c2e0b4b97d197977f03163f51781e32eade403ad7d41828cd44f3
              • Instruction ID: 5300f0e1582f6b8bccb0c77cb1c750a4f5998eb97474cb451135d2615a8de544
              • Opcode Fuzzy Hash: e84b3075c86c2e0b4b97d197977f03163f51781e32eade403ad7d41828cd44f3
              • Instruction Fuzzy Hash: 65E017B26053189FC718DF89E805996BFEDEB25754705843EF649DB301E6B1E8208FA8
              Function 005E2230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 005E224E
              Strings
              Memory Dump Source
              • Source File: 00000006.00000002.2907712400.00000000005E1000.00000040.00000001.01000000.00000004.sdmp, Offset: 005E0000, based on PE: true
              • Associated: 00000006.00000002.2907651645.00000000005E0000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2907712400.0000000000713000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908082573.0000000000718000.00000008.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908151714.000000000071B000.00000004.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908212071.000000000071C000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908274078.0000000000728000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908602477.0000000000889000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908650246.000000000088B000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008A0000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908724108.00000000008AE000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908835451.00000000008B3000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908887511.00000000008B5000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2908957824.00000000008DC000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909015175.00000000008DD000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909077040.00000000008E7000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909129320.00000000008F3000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909204904.000000000090D000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000910000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.000000000094D000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909265082.0000000000951000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909471331.000000000097B000.00000040.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.000000000097C000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909523685.0000000000982000.00000080.00000001.01000000.00000004.sdmpDownload File
              • Associated: 00000006.00000002.2909629551.0000000000992000.00000040.00000001.01000000.00000004.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_6_2_5e0000_MPGPH131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!^$`!^
              • API String ID: 2659868963-985837307
              • Opcode ID: 7b245721c2e8ade2686f08d10b9f482dd5c0efb40d90aae61a3297ba18e0be5f
              • Instruction ID: b7ad5ddfe473e00876ad52e5754bed08428ee662793d67631ea87400271f381c
              • Opcode Fuzzy Hash: 7b245721c2e8ade2686f08d10b9f482dd5c0efb40d90aae61a3297ba18e0be5f
              • Instruction Fuzzy Hash: F9E017B2A053149BC718DF89E801996BFEDEB25754705C43EF649DB301E7B0E8208BA8

              Execution Graph

              Execution Coverage:3.3%
              Dynamic/Decrypted Code Coverage:0%
              Signature Coverage:0%
              Total number of Nodes:674
              Total number of Limit Nodes:82
              execution_graph 30447 ea48e0 16 API calls 30519 ea03fa 12 API calls 2 library calls 30524 ea4dc9 11 API calls 30087 e9b6a0 30098 e9b6fe __Getctype 30087->30098 30088 e9b80c std::ios_base::_Ios_base_dtor 30089 e9b7e1 30089->30088 30090 f747b0 RtlAllocateHeap 30089->30090 30093 e9b82c 30090->30093 30091 e9b7d8 30156 f7d7d6 RtlAllocateHeap ___std_exception_destroy 30091->30156 30093->30093 30094 e92ae0 2 API calls 30093->30094 30095 e9b8d9 RegOpenKeyExA 30094->30095 30100 e9b954 RegQueryValueExA 30095->30100 30103 e9b9dc 30095->30103 30096 e9b7d2 30155 f7d7d6 RtlAllocateHeap ___std_exception_destroy 30096->30155 30098->30089 30098->30091 30098->30096 30098->30098 30101 efa350 2 API calls 30098->30101 30100->30103 30104 e9b9b3 30100->30104 30101->30096 30103->30103 30105 e92ae0 2 API calls 30103->30105 30107 efa350 2 API calls 30104->30107 30106 e9ba59 __fread_nolock 30105->30106 30108 e9ba6d GetCurrentHwProfileA 30106->30108 30107->30103 30109 e9baac 30108->30109 30110 e9ba81 30108->30110 30111 e9bab4 SetupDiGetClassDevsA 30109->30111 30140 efa350 30110->30140 30112 e9bb0d 30111->30112 30116 e9badb 30111->30116 30157 e9b1a0 9 API calls ___std_exception_copy 30112->30157 30115 e9bb1b 30115->30116 30117 e9bb5e 30116->30117 30118 e9c141 30116->30118 30121 f020e0 2 API calls 30117->30121 30161 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 30118->30161 30120 e9c146 30122 f747b0 RtlAllocateHeap 30120->30122 30123 e9bb89 30121->30123 30139 e9c065 std::ios_base::_Ios_base_dtor 30122->30139 30125 e9bbbc std::locale::_Locimp::_Locimp 30123->30125 30158 f006c0 2 API calls 4 library calls 30123->30158 30124 f747b0 RtlAllocateHeap 30127 e9c150 30124->30127 30128 efa480 2 API calls 30125->30128 30129 e9bc62 30128->30129 30159 f01ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::_Facet_Register std::locale::_Locimp::_Locimp 30129->30159 30131 e9bcb5 30132 efa480 2 API calls 30131->30132 30133 e9bcc8 30132->30133 30160 f01ed0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task std::_Facet_Register std::locale::_Locimp::_Locimp 30133->30160 30135 e9bd2c std::ios_base::_Ios_base_dtor 30135->30120 30136 e9bf0a std::ios_base::_Ios_base_dtor std::locale::_Locimp::_Locimp 30135->30136 30137 e92ae0 2 API calls 30136->30137 30137->30139 30138 e9c124 std::ios_base::_Ios_base_dtor 30139->30124 30139->30138 30143 efa38e 30140->30143 30145 efa366 std::locale::_Locimp::_Locimp 30140->30145 30141 efa46d 30162 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 30141->30162 30143->30141 30144 efa3c8 30143->30144 30150 efa3fc 30143->30150 30146 efa472 30144->30146 30148 f6f290 std::_Facet_Register 2 API calls 30144->30148 30145->30109 30163 e921d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 30146->30163 30153 efa3e8 std::locale::_Locimp::_Locimp 30148->30153 30149 efa477 30151 f6f290 std::_Facet_Register 2 API calls 30150->30151 30150->30153 30151->30153 30152 f747b0 RtlAllocateHeap 30152->30141 30153->30152 30154 efa44f std::ios_base::_Ios_base_dtor 30153->30154 30154->30109 30155->30091 30156->30089 30157->30115 30158->30125 30159->30131 30160->30135 30161->30120 30162->30146 30163->30149 30439 eae0a0 WSAStartup 30440 eae0d8 30439->30440 30441 eae1a7 30439->30441 30440->30441 30442 eae175 socket 30440->30442 30442->30441 30443 eae18b connect 30442->30443 30443->30441 30444 eae19d closesocket 30443->30444 30444->30441 30444->30442 30461 eac0a0 14 API calls std::_Facet_Register 30462 ea3aa0 18 API calls 2 library calls 30465 e9d892 20 API calls __fread_nolock 30540 ea57b8 GetPEB GetPEB 30473 eaf880 Sleep RtlAllocateHeap RtlAllocateHeap 30477 ea5498 GetPEB GetPEB GetPEB GetPEB GetPEB 30164 e9a090 30165 f6f290 std::_Facet_Register 2 API calls 30164->30165 30166 e9a0c8 30165->30166 30167 e92ae0 2 API calls 30166->30167 30168 e9a10b 30167->30168 30169 f75362 RtlAllocateHeap 30168->30169 30170 e9a157 30169->30170 30171 f79136 4 API calls 30170->30171 30174 e9a1c1 30170->30174 30173 e9a16a 30171->30173 30172 e9a1ea std::ios_base::_Ios_base_dtor 30175 f74eeb 2 API calls 30173->30175 30174->30172 30176 f747b0 RtlAllocateHeap 30174->30176 30177 e9a170 30175->30177 30178 e9a20c 30176->30178 30179 f79136 4 API calls 30177->30179 30180 f6f290 std::_Facet_Register 2 API calls 30178->30180 30181 e9a17c 30179->30181 30182 e9a248 30180->30182 30183 efcf60 2 API calls 30181->30183 30186 e9a18b 30181->30186 30184 e92ae0 2 API calls 30182->30184 30183->30186 30185 e9a28b 30184->30185 30190 f75362 RtlAllocateHeap 30185->30190 30187 f7dbdf __fread_nolock 4 API calls 30186->30187 30188 e9a1bb 30187->30188 30189 f78be8 5 API calls 30188->30189 30189->30174 30191 e9a2d7 30190->30191 30196 e9a34e 30191->30196 30218 f79136 30191->30218 30192 e9a377 std::ios_base::_Ios_base_dtor 30196->30192 30198 f747b0 RtlAllocateHeap 30196->30198 30201 e9a399 30198->30201 30199 f79136 4 API calls 30200 e9a2fc 30199->30200 30205 e9a318 30200->30205 30230 efcf60 30200->30230 30202 f75362 RtlAllocateHeap 30201->30202 30204 e9a3d8 30202->30204 30206 f79136 4 API calls 30204->30206 30213 e9a3f9 30204->30213 30235 f7dbdf 30205->30235 30209 e9a3eb 30206->30209 30207 e9a423 std::ios_base::_Ios_base_dtor 30212 f74eeb 2 API calls 30209->30212 30211 f78be8 5 API calls 30211->30196 30215 e9a3f1 30212->30215 30213->30207 30214 f747b0 RtlAllocateHeap 30213->30214 30216 e9a439 30214->30216 30217 f78be8 5 API calls 30215->30217 30217->30213 30219 f79149 ___std_exception_copy 30218->30219 30238 f78e8d 30219->30238 30221 f7915e 30222 f744dc ___std_exception_copy RtlAllocateHeap 30221->30222 30223 e9a2ea 30222->30223 30224 f74eeb 30223->30224 30225 f74efe ___std_exception_copy 30224->30225 30260 f74801 30225->30260 30227 f74f0a 30228 f744dc ___std_exception_copy RtlAllocateHeap 30227->30228 30229 e9a2f0 30228->30229 30229->30199 30231 efcfa7 30230->30231 30234 efcf78 __fread_nolock 30230->30234 30298 f00560 30231->30298 30233 efcfba 30233->30205 30234->30205 30315 f7dbfc 30235->30315 30237 e9a348 30237->30211 30240 f78e99 __fread_nolock 30238->30240 30239 f78e9f 30254 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 30239->30254 30240->30239 30242 f78ee2 __fread_nolock 30240->30242 30245 f79010 30242->30245 30244 f78eba 30244->30221 30246 f79036 30245->30246 30247 f79023 30245->30247 30255 f78f37 30246->30255 30247->30244 30249 f790e7 30249->30244 30250 f755d3 4 API calls 30252 f79087 30250->30252 30251 f79059 30251->30249 30251->30250 30253 f7e17d 2 API calls 30252->30253 30253->30249 30254->30244 30256 f78f48 30255->30256 30258 f78fa0 30255->30258 30256->30258 30259 f7e13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 30256->30259 30258->30251 30259->30258 30261 f7480d __fread_nolock 30260->30261 30262 f74814 30261->30262 30264 f74835 __fread_nolock 30261->30264 30270 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 30262->30270 30267 f74910 30264->30267 30266 f7482d 30266->30227 30271 f74942 30267->30271 30269 f74922 30269->30266 30270->30266 30272 f74951 30271->30272 30273 f74979 30271->30273 30287 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 30272->30287 30275 f85f82 __fread_nolock RtlAllocateHeap 30273->30275 30276 f74982 30275->30276 30284 f7e11f 30276->30284 30279 f74a2c 30288 f74cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 30279->30288 30281 f7496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 30281->30269 30282 f74a43 30282->30281 30289 f74ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 30282->30289 30290 f7df37 30284->30290 30286 f749a0 30286->30279 30286->30281 30286->30282 30287->30281 30288->30281 30289->30281 30291 f7df43 __fread_nolock 30290->30291 30292 f7df86 30291->30292 30294 f7dfcc 30291->30294 30296 f7df4b 30291->30296 30297 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 30292->30297 30295 f7e05c __fread_nolock 2 API calls 30294->30295 30294->30296 30295->30296 30296->30286 30297->30296 30299 f006a9 30298->30299 30303 f00585 30298->30303 30313 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 30299->30313 30301 f006ae 30314 e921d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 30301->30314 30305 f005f0 30303->30305 30306 f005e3 30303->30306 30309 f0059a 30303->30309 30304 f005aa __fread_nolock std::locale::_Locimp::_Locimp 30308 f747b0 RtlAllocateHeap 30304->30308 30312 f00667 std::ios_base::_Ios_base_dtor __fread_nolock std::locale::_Locimp::_Locimp 30304->30312 30305->30304 30311 f6f290 std::_Facet_Register 2 API calls 30305->30311 30306->30301 30306->30309 30307 f6f290 std::_Facet_Register 2 API calls 30307->30304 30310 f006b8 30308->30310 30309->30307 30311->30304 30312->30233 30313->30301 30314->30304 30316 f7dc08 __fread_nolock 30315->30316 30317 f7dc52 __fread_nolock 30316->30317 30318 f7dc1b __fread_nolock 30316->30318 30323 f7dc40 __fread_nolock 30316->30323 30324 f7da06 30317->30324 30337 f7d23f RtlAllocateHeap __dosmaperr 30318->30337 30320 f7dc35 30338 f747a0 RtlAllocateHeap ___std_exception_copy 30320->30338 30323->30237 30328 f7da18 __fread_nolock 30324->30328 30330 f7da35 30324->30330 30325 f7da25 30398 f7d23f RtlAllocateHeap __dosmaperr 30325->30398 30327 f7da2a 30399 f747a0 RtlAllocateHeap ___std_exception_copy 30327->30399 30328->30325 30328->30330 30335 f7da76 __fread_nolock 30328->30335 30330->30323 30331 f7dba1 __fread_nolock 30401 f7d23f RtlAllocateHeap __dosmaperr 30331->30401 30334 f85f82 __fread_nolock RtlAllocateHeap 30334->30335 30335->30330 30335->30331 30335->30334 30339 f84623 30335->30339 30400 f78a2b RtlAllocateHeap __fread_nolock __dosmaperr ___std_exception_copy std::locale::_Locimp::_Locimp 30335->30400 30337->30320 30338->30323 30340 f8464d 30339->30340 30341 f84635 30339->30341 30343 f8498f 30340->30343 30352 f84690 30340->30352 30402 f7d22c RtlAllocateHeap __dosmaperr 30341->30402 30421 f7d22c RtlAllocateHeap __dosmaperr 30343->30421 30344 f8463a 30403 f7d23f RtlAllocateHeap __dosmaperr 30344->30403 30347 f84994 30422 f7d23f RtlAllocateHeap __dosmaperr 30347->30422 30348 f8469b 30404 f7d22c RtlAllocateHeap __dosmaperr 30348->30404 30351 f846a8 30423 f747a0 RtlAllocateHeap ___std_exception_copy 30351->30423 30352->30348 30353 f84642 30352->30353 30356 f846cb 30352->30356 30353->30335 30354 f846a0 30405 f7d23f RtlAllocateHeap __dosmaperr 30354->30405 30358 f846e4 30356->30358 30359 f8471f 30356->30359 30360 f846f1 30356->30360 30358->30360 30364 f8470d 30358->30364 30409 f86e2d RtlAllocateHeap RtlAllocateHeap __dosmaperr std::_Facet_Register 30359->30409 30406 f7d22c RtlAllocateHeap __dosmaperr 30360->30406 30363 f846f6 30407 f7d23f RtlAllocateHeap __dosmaperr 30363->30407 30367 f90d44 __fread_nolock RtlAllocateHeap 30364->30367 30365 f84730 30410 f86db3 RtlAllocateHeap __dosmaperr 30365->30410 30380 f8486b 30367->30380 30369 f846fd 30408 f747a0 RtlAllocateHeap ___std_exception_copy 30369->30408 30370 f84739 30411 f86db3 RtlAllocateHeap __dosmaperr 30370->30411 30372 f848e3 ReadFile 30374 f848fb 30372->30374 30375 f84957 30372->30375 30374->30375 30377 f848d4 30374->30377 30385 f848b5 30375->30385 30386 f84964 30375->30386 30376 f84740 30378 f8474a 30376->30378 30379 f84765 30376->30379 30389 f84920 30377->30389 30390 f84937 30377->30390 30397 f84708 __fread_nolock 30377->30397 30412 f7d23f RtlAllocateHeap __dosmaperr 30378->30412 30414 f7e13d SetFilePointerEx RtlAllocateHeap __fread_nolock ___std_exception_copy 30379->30414 30380->30372 30384 f8489b 30380->30384 30384->30377 30384->30385 30385->30397 30415 f7d1e5 RtlAllocateHeap __dosmaperr 30385->30415 30419 f7d23f RtlAllocateHeap __dosmaperr 30386->30419 30387 f8474f 30413 f7d22c RtlAllocateHeap __dosmaperr 30387->30413 30417 f84335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 30389->30417 30390->30397 30418 f8417b SetFilePointerEx RtlAllocateHeap __fread_nolock 30390->30418 30392 f84969 30420 f7d22c RtlAllocateHeap __dosmaperr 30392->30420 30416 f86db3 RtlAllocateHeap __dosmaperr 30397->30416 30398->30327 30399->30330 30400->30335 30401->30327 30402->30344 30403->30353 30404->30354 30405->30351 30406->30363 30407->30369 30408->30397 30409->30365 30410->30370 30411->30376 30412->30387 30413->30397 30414->30364 30415->30397 30416->30353 30417->30397 30418->30397 30419->30392 30420->30397 30421->30347 30422->30351 30423->30353 30424 e9a690 30425 f6e812 GetSystemTimePreciseAsFileTime 30424->30425 30426 e9a6a2 30425->30426 30427 e9a6a9 30426->30427 30428 e9a6fe 30426->30428 30432 e9a6bd GetFileAttributesA 30427->30432 30434 e9a6c9 __Mtx_unlock 30427->30434 30438 f6e4bb 6 API calls std::locale::_Setgloballocale 30428->30438 30432->30434 30553 e95f90 6 API calls std::ios_base::_Ios_base_dtor 30482 ea4490 RegOpenKeyExA RegOpenKeyExA RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor 30556 e92160 RtlAllocateHeap std::ios_base::_Ios_base_dtor ___std_exception_destroy 29607 ea8c58 7 API calls 2 library calls 30489 e91050 RtlAllocateHeap RtlAllocateHeap 30567 ea9f50 5 API calls 4 library calls 30569 e9972e 9 API calls std::ios_base::_Ios_base_dtor 29609 ea7e3e 29752 f020e0 29609->29752 29611 ea7e5c 29612 f020e0 2 API calls 29611->29612 29613 ea7ed7 29612->29613 29614 f020e0 2 API calls 29613->29614 29615 ea7f4f __fread_nolock 29614->29615 29767 e92ae0 29615->29767 29617 ea7fcc __fread_nolock 29618 ea7ff4 GetUserNameA 29617->29618 29619 ea8028 29618->29619 29620 e92ae0 2 API calls 29619->29620 29625 ea85ae std::ios_base::_Ios_base_dtor 29619->29625 29621 ea808b 29620->29621 29783 efa480 29621->29783 29623 ea80a8 29626 ea80d1 std::locale::_Locimp::_Locimp 29623->29626 29840 f006c0 2 API calls 4 library calls 29623->29840 29627 ea987f std::ios_base::_Ios_base_dtor 29625->29627 29629 e92ae0 2 API calls 29625->29629 29788 f6e812 29626->29788 29630 e92ae0 2 API calls 29627->29630 29637 ea9c97 std::ios_base::_Ios_base_dtor 29627->29637 29632 ea8676 29629->29632 29647 ea99c6 29630->29647 29633 efa480 2 API calls 29632->29633 29645 ea8693 std::locale::_Locimp::_Locimp 29633->29645 29634 ea9d9c std::ios_base::_Ios_base_dtor 29635 ea8140 29643 ea815b GetFileAttributesA 29635->29643 29653 ea8167 __Mtx_unlock 29635->29653 29636 ea9dc6 29851 f6e4bb 6 API calls std::locale::_Setgloballocale 29636->29851 29637->29634 29638 f747b0 RtlAllocateHeap 29637->29638 29662 ea9e22 29638->29662 29640 ea9dcc 29852 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29640->29852 29642 ea9dd1 29853 f747b0 29642->29853 29643->29653 29655 f6e812 GetSystemTimePreciseAsFileTime 29645->29655 29646 ea9dd6 29648 f747b0 RtlAllocateHeap 29646->29648 29649 ea9e09 29647->29649 29650 ea9a3e 29647->29650 29652 ea9ddb 29648->29652 29858 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29649->29858 29656 f020e0 2 API calls 29650->29656 29657 f747b0 RtlAllocateHeap 29652->29657 29653->29640 29665 ea81fa 29653->29665 29699 ea8573 std::ios_base::_Ios_base_dtor 29653->29699 29654 ea9e0e 29658 f747b0 RtlAllocateHeap 29654->29658 29660 ea8721 29655->29660 29661 ea9a6a 29656->29661 29659 ea9de0 29657->29659 29708 ea9c30 29658->29708 29856 f6e4bb 6 API calls std::locale::_Setgloballocale 29659->29856 29660->29659 29663 ea872c 29660->29663 29664 efa480 2 API calls 29661->29664 29677 ea874f GetFileAttributesA 29663->29677 29681 ea875b __Mtx_unlock 29663->29681 29667 ea9a7d 29664->29667 29671 f020e0 2 API calls 29665->29671 29817 efa4f0 29667->29817 29668 f747b0 RtlAllocateHeap 29710 ea9c5d std::ios_base::_Ios_base_dtor 29668->29710 29669 ea9de6 29672 f747b0 RtlAllocateHeap 29669->29672 29674 ea8222 29671->29674 29673 ea9deb 29672->29673 29857 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29673->29857 29679 ea824f std::locale::_Locimp::_Locimp 29674->29679 29841 f006c0 2 API calls 4 library calls 29674->29841 29675 f747b0 RtlAllocateHeap 29675->29637 29677->29681 29689 ea8775 __Mtx_unlock 29677->29689 29678 ea9df0 29680 f747b0 RtlAllocateHeap 29678->29680 29686 efa480 2 API calls 29679->29686 29680->29649 29684 e92ae0 2 API calls 29681->29684 29681->29689 29682 ea9adb std::ios_base::_Ios_base_dtor 29682->29654 29685 ea9b4d std::ios_base::_Ios_base_dtor 29682->29685 29684->29689 29822 f75362 29685->29822 29692 ea830a std::ios_base::_Ios_base_dtor 29686->29692 29689->29669 29695 ea87cd std::ios_base::_Ios_base_dtor 29689->29695 29691 ea83e2 std::ios_base::_Ios_base_dtor 29791 efa770 29691->29791 29692->29642 29692->29691 29694 ea840c 29808 e9a600 29694->29808 29695->29627 29695->29673 29695->29695 29697 ea88be 29695->29697 29698 f020e0 2 API calls 29697->29698 29700 ea88e6 29698->29700 29699->29625 29699->29652 29702 ea890d std::locale::_Locimp::_Locimp 29700->29702 29842 f006c0 2 API calls 4 library calls 29700->29842 29701 ea9ba3 29828 f7d168 29701->29828 29709 efa480 2 API calls 29702->29709 29706 ea8411 29706->29646 29706->29699 29706->29706 29708->29668 29708->29710 29712 ea89a7 std::ios_base::_Ios_base_dtor 29709->29712 29710->29637 29710->29675 29711 ea8a8d std::ios_base::_Ios_base_dtor 29713 efa770 2 API calls 29711->29713 29712->29678 29712->29711 29714 ea8aba 29713->29714 29715 e9a600 5 API calls 29714->29715 29716 ea8abf 29715->29716 29716->29627 29716->29716 29717 e92ae0 2 API calls 29716->29717 29718 ea8c04 29717->29718 29843 efe530 RtlAllocateHeap RtlAllocateHeap std::locale::_Locimp::_Locimp 29718->29843 29720 ea8c90 29721 efa480 2 API calls 29720->29721 29722 ea8ca2 29721->29722 29723 ea8d43 std::locale::_Locimp::_Locimp 29722->29723 29844 f006c0 2 API calls 4 library calls 29722->29844 29725 efa480 2 API calls 29723->29725 29726 ea8e17 29725->29726 29727 ea8eb2 std::locale::_Locimp::_Locimp 29726->29727 29845 f006c0 2 API calls 4 library calls 29726->29845 29729 efa480 2 API calls 29727->29729 29730 ea8f88 std::ios_base::_Ios_base_dtor 29729->29730 29731 efa770 2 API calls 29730->29731 29732 ea91fc 29731->29732 29846 ea5b90 7 API calls 3 library calls 29732->29846 29734 ea9203 29735 e92ae0 2 API calls 29734->29735 29736 ea9313 29735->29736 29847 efe530 RtlAllocateHeap RtlAllocateHeap std::locale::_Locimp::_Locimp 29736->29847 29738 ea9395 29739 efa480 2 API calls 29738->29739 29740 ea93a7 29739->29740 29741 ea941e std::locale::_Locimp::_Locimp 29740->29741 29848 f006c0 2 API calls 4 library calls 29740->29848 29743 efa480 2 API calls 29741->29743 29744 ea94bc 29743->29744 29745 ea9557 std::locale::_Locimp::_Locimp 29744->29745 29849 f006c0 2 API calls 4 library calls 29744->29849 29747 efa480 2 API calls 29745->29747 29749 ea9627 std::ios_base::_Ios_base_dtor 29747->29749 29748 efa770 2 API calls 29750 ea9878 29748->29750 29749->29748 29850 ea5b90 7 API calls 3 library calls 29750->29850 29753 f02112 29752->29753 29756 f0213d std::locale::_Locimp::_Locimp 29752->29756 29754 f0211f 29753->29754 29757 f02162 29753->29757 29758 f0216b 29753->29758 29859 f6f290 29754->29859 29756->29611 29757->29754 29760 f021bc 29757->29760 29758->29756 29762 f6f290 std::_Facet_Register 2 API calls 29758->29762 29759 f02132 29759->29756 29763 f747b0 RtlAllocateHeap 29759->29763 29867 e921d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 29760->29867 29762->29756 29764 f021c6 29763->29764 29868 f7d7d6 RtlAllocateHeap ___std_exception_destroy 29764->29868 29766 f021e4 std::ios_base::_Ios_base_dtor 29766->29611 29768 e92ba5 29767->29768 29773 e92af6 29767->29773 29877 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29768->29877 29769 e92b02 std::locale::_Locimp::_Locimp 29769->29617 29771 e92b2a 29778 f6f290 std::_Facet_Register 2 API calls 29771->29778 29772 e92baa 29878 e921d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 29772->29878 29773->29769 29773->29771 29776 e92b6e 29773->29776 29777 e92b65 29773->29777 29775 e92b3d 29779 f747b0 RtlAllocateHeap 29775->29779 29782 e92b46 std::locale::_Locimp::_Locimp 29775->29782 29781 f6f290 std::_Facet_Register 2 API calls 29776->29781 29776->29782 29777->29771 29777->29772 29778->29775 29780 e92bb4 29779->29780 29781->29782 29782->29617 29784 efa490 29783->29784 29784->29784 29787 efa4a7 std::locale::_Locimp::_Locimp 29784->29787 29879 f006c0 2 API calls 4 library calls 29784->29879 29786 efa4e2 29786->29623 29787->29623 29880 f6e5ec 29788->29880 29790 ea8135 29790->29635 29790->29636 29792 efa799 29791->29792 29793 efa851 29792->29793 29799 efa7aa 29792->29799 29888 e92270 RtlAllocateHeap RtlAllocateHeap __fread_nolock 29793->29888 29795 efa7b6 std::locale::_Locimp::_Locimp 29795->29694 29796 efa856 29889 e921d0 RtlAllocateHeap RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 29796->29889 29797 efa7db 29800 f6f290 std::_Facet_Register 2 API calls 29797->29800 29799->29795 29799->29797 29802 efa81d 29799->29802 29803 efa814 29799->29803 29801 efa7ee 29800->29801 29804 f747b0 RtlAllocateHeap 29801->29804 29807 efa7f5 std::locale::_Locimp::_Locimp 29801->29807 29806 f6f290 std::_Facet_Register 2 API calls 29802->29806 29802->29807 29803->29796 29803->29797 29805 efa860 29804->29805 29805->29694 29806->29807 29807->29694 29809 e9a610 29808->29809 29809->29809 29810 f75362 RtlAllocateHeap 29809->29810 29811 e9a638 29810->29811 29812 f78be8 5 API calls 29811->29812 29814 e9a645 29811->29814 29812->29814 29813 e9a674 std::ios_base::_Ios_base_dtor 29813->29706 29814->29813 29815 f747b0 RtlAllocateHeap 29814->29815 29816 e9a68a 29815->29816 29818 efa504 29817->29818 29821 efa514 std::locale::_Locimp::_Locimp 29818->29821 29890 f006c0 2 API calls 4 library calls 29818->29890 29820 efa55a 29820->29682 29821->29682 29891 f752a0 29822->29891 29824 ea9b91 29824->29710 29825 ea40e0 29824->29825 29924 f6ec6a 29825->29924 29827 ea40eb __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 29827->29701 29829 f7d17b ___std_exception_copy 29828->29829 29931 f7cf4a 29829->29931 29831 f7d190 29939 f744dc 29831->29939 29834 f78be8 29835 f78bfb ___std_exception_copy 29834->29835 29949 f78ac3 29835->29949 29837 f78c07 29838 f744dc ___std_exception_copy RtlAllocateHeap 29837->29838 29839 f78c13 29838->29839 29839->29708 29840->29626 29841->29679 29842->29702 29843->29720 29844->29723 29845->29727 29846->29734 29847->29738 29848->29741 29849->29745 29850->29627 29852->29642 30086 f746ec RtlAllocateHeap ___std_exception_copy 29853->30086 29855 f747bf __Getctype 29857->29678 29858->29654 29860 f6f295 std::_Facet_Register 29859->29860 29862 f6f2af 29860->29862 29864 e921d0 Concurrency::cancel_current_task 29860->29864 29869 f7df2c 29860->29869 29862->29759 29863 f6f2bb 29863->29863 29864->29863 29875 f70651 RtlAllocateHeap RtlAllocateHeap ___std_exception_destroy ___std_exception_copy 29864->29875 29866 e92213 29866->29759 29867->29759 29868->29766 29874 f86e2d __dosmaperr std::_Facet_Register 29869->29874 29870 f86e6b 29876 f7d23f RtlAllocateHeap __dosmaperr 29870->29876 29872 f86e56 RtlAllocateHeap 29873 f86e69 29872->29873 29872->29874 29873->29860 29874->29870 29874->29872 29875->29866 29876->29873 29877->29772 29878->29775 29879->29786 29881 f6e64e 29880->29881 29883 f6e614 _ValidateLocalCookies 29880->29883 29881->29883 29886 f6ec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 29881->29886 29883->29790 29884 f6e6a4 __Xtime_diff_to_millis2 29884->29883 29887 f6ec91 GetSystemTimePreciseAsFileTime __aulldiv __aullrem __Xtime_get_ticks 29884->29887 29886->29884 29887->29884 29888->29796 29889->29801 29890->29820 29893 f752ac __fread_nolock 29891->29893 29892 f752b3 29909 f7d23f RtlAllocateHeap __dosmaperr 29892->29909 29893->29892 29896 f752d3 29893->29896 29895 f752b8 29910 f747a0 RtlAllocateHeap ___std_exception_copy 29895->29910 29898 f752e5 29896->29898 29899 f752d8 29896->29899 29905 f86688 29898->29905 29911 f7d23f RtlAllocateHeap __dosmaperr 29899->29911 29902 f752ee 29904 f752c3 29902->29904 29912 f7d23f RtlAllocateHeap __dosmaperr 29902->29912 29904->29824 29906 f86694 __fread_nolock std::_Lockit::_Lockit 29905->29906 29913 f8672c 29906->29913 29908 f866af 29908->29902 29909->29895 29910->29904 29911->29904 29912->29904 29917 f8674f __fread_nolock 29913->29917 29915 f867b0 29923 f86db3 RtlAllocateHeap __dosmaperr 29915->29923 29917->29917 29918 f86795 __fread_nolock 29917->29918 29919 f863f3 29917->29919 29918->29908 29920 f86400 __dosmaperr std::_Facet_Register 29919->29920 29921 f8642b RtlAllocateHeap 29920->29921 29922 f8643e __dosmaperr 29920->29922 29921->29920 29921->29922 29922->29915 29923->29918 29927 f6f26a 29924->29927 29928 f6ec78 29927->29928 29929 f6f27b GetSystemTimePreciseAsFileTime 29927->29929 29928->29827 29929->29928 29932 f7cf80 29931->29932 29933 f7cf58 29931->29933 29932->29831 29933->29932 29934 f7cf87 29933->29934 29935 f7cf65 29933->29935 29946 f7cea3 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap __fread_nolock 29934->29946 29945 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 29935->29945 29938 f7cfbf 29938->29831 29940 f744e8 29939->29940 29941 f744ff 29940->29941 29947 f74587 RtlAllocateHeap ___std_exception_copy __Getctype 29940->29947 29943 ea9c2a 29941->29943 29948 f74587 RtlAllocateHeap ___std_exception_copy __Getctype 29941->29948 29943->29834 29945->29932 29946->29938 29947->29941 29948->29943 29950 f78acf __fread_nolock 29949->29950 29951 f78ad9 29950->29951 29953 f78afc __fread_nolock 29950->29953 29970 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 29951->29970 29955 f78af4 29953->29955 29956 f78b5a 29953->29956 29955->29837 29957 f78b67 29956->29957 29958 f78b8a 29956->29958 29995 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 29957->29995 29968 f78b82 29958->29968 29971 f755d3 29958->29971 29965 f78bb6 29988 f84a3f 29965->29988 29968->29955 29970->29955 29972 f755ec 29971->29972 29976 f75613 29971->29976 29973 f85f82 __fread_nolock RtlAllocateHeap 29972->29973 29972->29976 29974 f75608 29973->29974 29997 f8538b 29974->29997 29977 f86ded 29976->29977 29978 f78baa 29977->29978 29979 f86e04 29977->29979 29981 f85f82 29978->29981 29979->29978 30065 f86db3 RtlAllocateHeap __dosmaperr 29979->30065 29982 f85f8e 29981->29982 29983 f85fa3 29981->29983 30066 f7d23f RtlAllocateHeap __dosmaperr 29982->30066 29983->29965 29985 f85f93 30067 f747a0 RtlAllocateHeap ___std_exception_copy 29985->30067 29987 f85f9e 29987->29965 29989 f84a68 29988->29989 29994 f78bbd 29988->29994 29990 f84ab7 29989->29990 29992 f84a8f 29989->29992 30072 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 29990->30072 30068 f849ae 29992->30068 29994->29968 29996 f86db3 RtlAllocateHeap __dosmaperr 29994->29996 29995->29968 29996->29968 29998 f85397 __fread_nolock 29997->29998 29999 f8539f 29998->29999 30000 f853d8 29998->30000 30002 f8541e 29998->30002 29999->29976 30018 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 30000->30018 30002->29999 30004 f8549c 30002->30004 30005 f854c4 30004->30005 30017 f854e7 __fread_nolock 30004->30017 30006 f854c8 30005->30006 30008 f85523 30005->30008 30024 f74723 RtlAllocateHeap ___std_exception_copy __Getctype 30006->30024 30009 f85541 30008->30009 30025 f7e17d 30008->30025 30019 f84fe1 30009->30019 30013 f85559 30013->30017 30028 f84bb2 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_ctor _ValidateLocalCookies std::locale::_Locimp::_Locimp 30013->30028 30014 f855a0 30015 f85609 WriteFile 30014->30015 30014->30017 30015->30017 30017->29999 30018->29999 30029 f90d44 30019->30029 30021 f85021 30021->30013 30021->30014 30022 f84ff3 30022->30021 30038 f79d10 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_ctor ___std_exception_copy 30022->30038 30024->30017 30042 f7e05c 30025->30042 30027 f7e196 30027->30009 30028->30017 30030 f90d5e 30029->30030 30031 f90d51 30029->30031 30034 f90d6a 30030->30034 30040 f7d23f RtlAllocateHeap __dosmaperr 30030->30040 30039 f7d23f RtlAllocateHeap __dosmaperr 30031->30039 30033 f90d56 30033->30022 30034->30022 30036 f90d8b 30041 f747a0 RtlAllocateHeap ___std_exception_copy 30036->30041 30038->30021 30039->30033 30040->30036 30041->30033 30047 f8a6de 30042->30047 30044 f7e06e 30045 f7e08a SetFilePointerEx 30044->30045 30046 f7e076 __fread_nolock 30044->30046 30045->30046 30046->30027 30048 f8a6eb 30047->30048 30049 f8a700 30047->30049 30060 f7d22c RtlAllocateHeap __dosmaperr 30048->30060 30054 f8a725 30049->30054 30062 f7d22c RtlAllocateHeap __dosmaperr 30049->30062 30051 f8a6f0 30061 f7d23f RtlAllocateHeap __dosmaperr 30051->30061 30054->30044 30055 f8a730 30063 f7d23f RtlAllocateHeap __dosmaperr 30055->30063 30057 f8a6f8 30057->30044 30058 f8a738 30064 f747a0 RtlAllocateHeap ___std_exception_copy 30058->30064 30060->30051 30061->30057 30062->30055 30063->30058 30064->30057 30065->29978 30066->29985 30067->29987 30069 f849ba __fread_nolock 30068->30069 30071 f849f9 30069->30071 30073 f84b12 30069->30073 30071->29994 30072->29994 30074 f8a6de __fread_nolock RtlAllocateHeap 30073->30074 30077 f84b22 30074->30077 30075 f84b28 30085 f8a64d RtlAllocateHeap __dosmaperr 30075->30085 30077->30075 30078 f84b5a 30077->30078 30079 f8a6de __fread_nolock RtlAllocateHeap 30077->30079 30078->30075 30080 f8a6de __fread_nolock RtlAllocateHeap 30078->30080 30081 f84b51 30079->30081 30082 f84b66 FindCloseChangeNotification 30080->30082 30083 f8a6de __fread_nolock RtlAllocateHeap 30081->30083 30082->30075 30083->30078 30084 f84b80 __fread_nolock 30084->30071 30085->30084 30086->29855 30500 e9c430 22 API calls __fread_nolock 30574 e9af30 4 API calls 2 library calls 30503 e91000 RtlAllocateHeap RtlAllocateHeap RtlAllocateHeap std::_Facet_Register 30577 ea4100 GetPEB RtlAllocateHeap RtlAllocateHeap std::ios_base::_Ios_base_dtor __fread_nolock

              Executed Functions

              Function 00EA7E3E Relevance: 26.8, APIs: 7, Strings: 7, Instructions: 2282COMMON
              Download Yara Rule
              APIs
              • GetUserNameA.ADVAPI32(?,00000104,?,?,?), ref: 00EA8006
              • GetFileAttributesA.KERNELBASE(?,00000001,?,?,?,?), ref: 00EA815D
              • __Mtx_unlock.LIBCPMT ref: 00EA8186
              • __Mtx_unlock.LIBCPMT ref: 00EA8195
              • GetFileAttributesA.KERNELBASE(?,?,0000005C,00000000,00000001), ref: 00EA8751
              • __Mtx_unlock.LIBCPMT ref: 00EA877A
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile$NameUser
              • String ID: *$+$131$P?Y$Q>5$\$\
              • API String ID: 1275484822-3500402200
              • Opcode ID: c1f378f2106f78e8289e93485c68759832ed14c59c2f979ad67da59b864a5484
              • Instruction ID: 8d77a7e0beb0e668f9600ba6fb525958ba027eab6b0e5a3e804ba379dbd065d7
              • Opcode Fuzzy Hash: c1f378f2106f78e8289e93485c68759832ed14c59c2f979ad67da59b864a5484
              • Instruction Fuzzy Hash: 51236C70D002598FDB28CF68CD94BEDBBB5EF0A304F1481E9D409AB282D775AA85CF51
              Function 00E9B6A0 Relevance: 14.8, APIs: 4, Strings: 4, Instructions: 840registryCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 585 e9b6a0-e9b6fc 586 e9b6fe-e9b701 585->586 587 e9b704-e9b72d 585->587 586->587 589 e9b733-e9b743 call f750b2 587->589 590 e9b7e5-e9b7ec 587->590 599 e9b749-e9b75d 589->599 600 e9b7e4 589->600 591 e9b7ee-e9b7fa 590->591 592 e9b816-e9b826 590->592 594 e9b80c-e9b813 call f6f511 591->594 595 e9b7fc-e9b80a 591->595 594->592 595->594 597 e9b827-e9b863 call f747b0 call e9a440 595->597 610 e9b86a-e9b87e 597->610 611 e9b865 597->611 606 e9b7db-e9b7e1 call f7d7d6 599->606 607 e9b75f-e9b78c 599->607 600->590 606->600 607->606 614 e9b78e-e9b79e call f750b2 607->614 615 e9b880-e9b88b 610->615 611->610 614->606 621 e9b7a0-e9b7b9 614->621 615->615 616 e9b88d-e9b8bd 615->616 618 e9b8c0-e9b8c5 616->618 618->618 620 e9b8c7-e9b921 call e92ae0 618->620 625 e9b925-e9b930 620->625 626 e9b7bb-e9b7bd 621->626 627 e9b7d2-e9b7d8 call f7d7d6 621->627 625->625 628 e9b932-e9b94e RegOpenKeyExA 625->628 629 e9b7c0-e9b7c5 626->629 627->606 631 e9b9e5-e9b9f9 628->631 632 e9b954-e9b97d 628->632 629->629 633 e9b7c7-e9b7cd call efa350 629->633 635 e9ba00-e9ba0b 631->635 636 e9b980-e9b98b 632->636 633->627 635->635 638 e9ba0d-e9ba3d 635->638 636->636 639 e9b98d-e9b9b1 RegQueryValueExA 636->639 640 e9ba40-e9ba45 638->640 641 e9b9dc-e9b9df 639->641 642 e9b9b3-e9b9bc 639->642 640->640 643 e9ba47-e9ba7f call e92ae0 call f714f0 GetCurrentHwProfileA 640->643 641->631 644 e9b9c0-e9b9c5 642->644 651 e9baac-e9bad9 call e9b360 SetupDiGetClassDevsA 643->651 652 e9ba81-e9ba8a 643->652 644->644 646 e9b9c7-e9b9d7 call efa350 644->646 646->641 657 e9badb-e9bb0b 651->657 658 e9bb0d-e9bb1b call e9b1a0 651->658 653 e9ba90-e9ba95 652->653 653->653 655 e9ba97-e9baa7 call efa350 653->655 655->651 660 e9bb1e-e9bb3c 657->660 658->660 663 e9bb40-e9bb45 660->663 663->663 664 e9bb47-e9bb58 663->664 665 e9bb5e-e9bb6b 664->665 666 e9c141 call e92270 664->666 668 e9bb6d 665->668 669 e9bb73-e9bb9a call f020e0 665->669 670 e9c146 call f747b0 666->670 668->669 675 e9bb9c 669->675 676 e9bba2-e9bbba 669->676 674 e9c14b-e9c167 call f747b0 670->674 686 e9c169-e9c16b 674->686 687 e9c182-e9c185 674->687 675->676 678 e9bbbc-e9bbce 676->678 679 e9bbf3-e9bc08 call f006c0 676->679 682 e9bbd0 678->682 683 e9bbd6-e9bbf1 call f70f70 678->683 689 e9bc0a-e9bd39 call efa480 call f01ed0 call efa480 call f01ed0 679->689 682->683 683->689 690 e9c170-e9c17c 686->690 700 e9bd3b-e9bd4a 689->700 701 e9bd6a-e9bd77 689->701 690->690 692 e9c17e 690->692 692->687 702 e9bd4c-e9bd5a 700->702 703 e9bd60-e9bd67 call f6f511 700->703 704 e9bd79-e9bd88 701->704 705 e9bda8-e9bdcd 701->705 702->670 702->703 703->701 707 e9bd8a-e9bd98 704->707 708 e9bd9e-e9bda5 call f6f511 704->708 709 e9bdfb-e9be05 705->709 710 e9bdcf-e9bddb 705->710 707->670 707->708 708->705 711 e9be33-e9be52 709->711 712 e9be07-e9be13 709->712 715 e9bddd-e9bdeb 710->715 716 e9bdf1-e9bdf8 call f6f511 710->716 719 e9be83-e9beab 711->719 720 e9be54-e9be63 711->720 717 e9be29-e9be30 call f6f511 712->717 718 e9be15-e9be23 712->718 715->670 715->716 716->709 717->711 718->670 718->717 726 e9bead-e9bebc 719->726 727 e9bedc-e9bee6 719->727 724 e9be79-e9be80 call f6f511 720->724 725 e9be65-e9be73 720->725 724->719 725->670 725->724 733 e9bebe-e9becc 726->733 734 e9bed2-e9bed9 call f6f511 726->734 729 e9bee8-e9bef4 727->729 730 e9bf14-e9bf9b 727->730 736 e9bf0a-e9bf11 call f6f511 729->736 737 e9bef6-e9bf04 729->737 738 e9bf9d-e9bfa3 730->738 739 e9bfa6-e9bfab 730->739 733->670 733->734 734->727 736->730 737->670 737->736 738->739 743 e9bfad 739->743 744 e9bfd6-e9bfd8 739->744 748 e9bfb2-e9bfce call f15b20 743->748 745 e9bfda-e9bffe call f70f70 744->745 746 e9c000 744->746 750 e9c00a-e9c01d call f15980 745->750 746->750 756 e9bfd0 748->756 757 e9c01f-e9c02f 750->757 758 e9c030-e9c04f 750->758 756->744 757->758 759 e9c050-e9c055 758->759 759->759 760 e9c057-e9c06e call e92ae0 759->760 763 e9c09f-e9c0c3 760->763 764 e9c070-e9c07f 760->764 765 e9c0f8-e9c101 763->765 766 e9c0c5-e9c0d6 763->766 767 e9c081-e9c08f 764->767 768 e9c095-e9c09c call f6f511 764->768 772 e9c12e-e9c140 765->772 773 e9c103-e9c112 765->773 770 e9c0d8-e9c0e9 766->770 771 e9c0ee-e9c0f5 call f6f511 766->771 767->674 767->768 768->763 770->674 775 e9c0eb 770->775 771->765 777 e9c124-e9c12b call f6f511 773->777 778 e9c114-e9c122 773->778 775->771 777->772 778->674 778->777
              APIs
              • RegOpenKeyExA.KERNELBASE(80000002,C0D5DDC2,00000000,00020019,00000000,FAF8FCC4,FAF8FCC5), ref: 00E9B947
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Open
              • String ID: :$_$_$_
              • API String ID: 71445658-4119709311
              • Opcode ID: 70ffebfa1b60f9955c8cb520723815c5d093b4a693fbda1f050f815bfd0792a7
              • Instruction ID: b6e0d0fe0b94d8f4fb296563a0b2106b0af75ee1255cc69530e205780d85d31e
              • Opcode Fuzzy Hash: 70ffebfa1b60f9955c8cb520723815c5d093b4a693fbda1f050f815bfd0792a7
              • Instruction Fuzzy Hash: F6729EB0D002599FDF18CF68DD84BEEBBB5EF45304F1482A9E409AB282D7749A85CF51
              Function 00EAE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1091 eae0a0-eae0d2 WSAStartup 1092 eae0d8-eae102 call e96bd0 * 2 1091->1092 1093 eae1b7-eae1c0 1091->1093 1098 eae10e-eae165 1092->1098 1099 eae104-eae108 1092->1099 1101 eae1b1 1098->1101 1102 eae167-eae16d 1098->1102 1099->1093 1099->1098 1101->1093 1103 eae16f 1102->1103 1104 eae1c5-eae1cf 1102->1104 1105 eae175-eae189 socket 1103->1105 1104->1101 1108 eae1d1-eae1d9 1104->1108 1105->1101 1107 eae18b-eae19b connect 1105->1107 1109 eae19d-eae1a5 closesocket 1107->1109 1110 eae1c1 1107->1110 1109->1105 1111 eae1a7-eae1ab 1109->1111 1110->1104 1111->1101
              APIs
              • WSAStartup.WS2_32 ref: 00EAE0CB
              • socket.WS2_32(?,?,?,?,?,?,00FC7320,?,?,?,?,?,?), ref: 00EAE17F
              • connect.WS2_32(00000000,?,00000000,?,?,?,00FC7320,?,?,?,?,?,?), ref: 00EAE193
              • closesocket.WS2_32(00000000), ref: 00EAE19E
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Startupclosesocketconnectsocket
              • String ID:
              • API String ID: 3098855095-0
              • Opcode ID: c08d960baeb82bdfb60cc3dc1f4e2558276660c23ee7632e9c8602661ce4f37d
              • Instruction ID: 29e9c83d04ab5fb2507d000b73cb6ffde612405f3c12740030bb700f3af9000f
              • Opcode Fuzzy Hash: c08d960baeb82bdfb60cc3dc1f4e2558276660c23ee7632e9c8602661ce4f37d
              • Instruction Fuzzy Hash: A231A6716053105BD7209F25C848B6BB7E4EBDA778F005F1DF9A8A73D0E375A9048BA2
              Function 00F6F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1349 f6f290-f6f293 1350 f6f2a2-f6f2a5 call f7df2c 1349->1350 1352 f6f2aa-f6f2ad 1350->1352 1353 f6f295-f6f2a0 call f817d8 1352->1353 1354 f6f2af-f6f2b0 1352->1354 1353->1350 1357 f6f2b1-f6f2b5 1353->1357 1358 e921d0-e92220 call e921b0 call f70efb call f70651 1357->1358 1359 f6f2bb 1357->1359 1359->1359
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E9220E
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!
              • API String ID: 2659868963-1501952390
              • Opcode ID: 2947e80119313c5cc6cfa7a6e4a312cd4c2607908f50143c00ac01ae7f9e235e
              • Instruction ID: 2d8a2bd02fedbb922ed61434f42bd9f6b1d975656323f17750e077b04987cb60
              • Opcode Fuzzy Hash: 2947e80119313c5cc6cfa7a6e4a312cd4c2607908f50143c00ac01ae7f9e235e
              • Instruction Fuzzy Hash: E9012B7650030DBBCF18AF99EC0299977EC9E00320B50843AFA1CDB551EB30E964E791
              Function 00E9A690 Relevance: 4.6, APIs: 3, Instructions: 93COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1366 e9a690-e9a6a7 call f6e812 1369 e9a6a9-e9a6ab 1366->1369 1370 e9a6fe-e9a722 call f6e4bb call f6e812 1366->1370 1371 e9a6ad-e9a6af 1369->1371 1372 e9a6e7 1369->1372 1385 e9a73f-e9a745 call f6e4bb 1370->1385 1386 e9a724-e9a73e call f6e823 1370->1386 1375 e9a6b2-e9a6b7 1371->1375 1374 e9a6e9-e9a6fd call f6e823 1372->1374 1375->1375 1378 e9a6b9-e9a6bb 1375->1378 1378->1372 1381 e9a6bd-e9a6c7 GetFileAttributesA 1378->1381 1383 e9a6c9-e9a6d2 1381->1383 1384 e9a6e3-e9a6e5 1381->1384 1383->1384 1391 e9a6d4-e9a6d7 1383->1391 1384->1374 1391->1384 1393 e9a6d9-e9a6dc 1391->1393 1393->1384 1395 e9a6de-e9a6e1 1393->1395 1395->1372 1395->1384
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Mtx_unlock$AttributesFile
              • String ID:
              • API String ID: 1886074773-0
              • Opcode ID: 5acc252c01e254c0f356256776501f55e642229fcd1451c64740f814c918b5da
              • Instruction ID: 6ce92deec9ecee20a71c52a317dbaa2780cc21892bdcb2b4c849710c4bdf5eeb
              • Opcode Fuzzy Hash: 5acc252c01e254c0f356256776501f55e642229fcd1451c64740f814c918b5da
              • Instruction Fuzzy Hash: FE012696A4422222DD3861346C8A9FB35088C5337C73D2936FC41E7247F84BCD10A1E3
              Function 00F00560 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 138COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1396 f00560-f0057f 1397 f00585-f00598 1396->1397 1398 f006a9 call e92270 1396->1398 1399 f005c0-f005c8 1397->1399 1400 f0059a 1397->1400 1402 f006ae call e921d0 1398->1402 1403 f005d1-f005d5 1399->1403 1404 f005ca-f005cf 1399->1404 1405 f0059c-f005a1 1400->1405 1410 f006b3-f006b8 call f747b0 1402->1410 1407 f005d7 1403->1407 1408 f005d9-f005e1 1403->1408 1404->1405 1409 f005a4-f005a5 call f6f290 1405->1409 1407->1408 1411 f005f0-f005f2 1408->1411 1412 f005e3-f005e8 1408->1412 1414 f005aa-f005af 1409->1414 1417 f00601 1411->1417 1418 f005f4-f005ff call f6f290 1411->1418 1412->1402 1416 f005ee 1412->1416 1414->1410 1419 f005b5-f005be 1414->1419 1416->1409 1422 f00603-f00629 1417->1422 1418->1422 1419->1422 1424 f00680-f006a6 call f70f70 call f714f0 1422->1424 1425 f0062b-f00655 call f70f70 call f714f0 1422->1425 1434 f00657-f00665 1425->1434 1435 f00669-f0067d call f6f511 1425->1435 1434->1410 1436 f00667 1434->1436 1436->1435
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 00F006AE
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID: 5
              • API String ID: 118556049-2308513669
              • Opcode ID: a07ca5f35a0a00156a120fe7bc8c038a69de417eab0e42a5e54c1756a77a970a
              • Instruction ID: 65bf12aaeff75eb7880a0535d78b70e34b16454b01b5fb2f0f13efda15e576e8
              • Opcode Fuzzy Hash: a07ca5f35a0a00156a120fe7bc8c038a69de417eab0e42a5e54c1756a77a970a
              • Instruction Fuzzy Hash: BD41D872A001149BCB15DF68DC806AE77A6AF89350F14416AFC05DB382DB31DE60BBE1
              Function 00E9A090 Relevance: 3.3, APIs: 2, Instructions: 342COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1439 e9a090-e9a12b call f6f290 call e92ae0 1444 e9a130-e9a13b 1439->1444 1444->1444 1445 e9a13d-e9a148 1444->1445 1446 e9a14a 1445->1446 1447 e9a14d-e9a15e call f75362 1445->1447 1446->1447 1450 e9a160-e9a189 call f79136 call f74eeb call f79136 1447->1450 1451 e9a1c4-e9a1ca 1447->1451 1469 e9a19b-e9a1a2 call efcf60 1450->1469 1470 e9a18b-e9a18f 1450->1470 1453 e9a1cc-e9a1d8 1451->1453 1454 e9a1f4-e9a206 1451->1454 1456 e9a1ea-e9a1f1 call f6f511 1453->1456 1457 e9a1da-e9a1e8 1453->1457 1456->1454 1457->1456 1459 e9a207-e9a2ab call f747b0 call f6f290 call e92ae0 1457->1459 1479 e9a2b0-e9a2bb 1459->1479 1475 e9a1a7-e9a1ad 1469->1475 1473 e9a191 1470->1473 1474 e9a193-e9a199 1470->1474 1473->1474 1474->1475 1477 e9a1af 1475->1477 1478 e9a1b1-e9a1c1 call f7dbdf call f78be8 1475->1478 1477->1478 1478->1451 1479->1479 1481 e9a2bd-e9a2c8 1479->1481 1483 e9a2ca 1481->1483 1484 e9a2cd-e9a2de call f75362 1481->1484 1483->1484 1489 e9a351-e9a357 1484->1489 1490 e9a2e0-e9a305 call f79136 call f74eeb call f79136 1484->1490 1491 e9a359-e9a365 1489->1491 1492 e9a381-e9a393 1489->1492 1507 e9a30c-e9a316 1490->1507 1508 e9a307 1490->1508 1494 e9a377-e9a37e call f6f511 1491->1494 1495 e9a367-e9a375 1491->1495 1494->1492 1495->1494 1498 e9a394-e9a3ae call f747b0 1495->1498 1506 e9a3b0-e9a3bb 1498->1506 1506->1506 1509 e9a3bd-e9a3c8 1506->1509 1510 e9a328-e9a32f call efcf60 1507->1510 1511 e9a318-e9a31c 1507->1511 1508->1507 1512 e9a3ca 1509->1512 1513 e9a3cd-e9a3df call f75362 1509->1513 1519 e9a334-e9a33a 1510->1519 1515 e9a31e 1511->1515 1516 e9a320-e9a326 1511->1516 1512->1513 1520 e9a3fc-e9a403 1513->1520 1521 e9a3e1-e9a3f9 call f79136 call f74eeb call f78be8 1513->1521 1515->1516 1516->1519 1522 e9a33c 1519->1522 1523 e9a33e-e9a349 call f7dbdf call f78be8 1519->1523 1525 e9a42d-e9a433 1520->1525 1526 e9a405-e9a411 1520->1526 1521->1520 1522->1523 1536 e9a34e 1523->1536 1529 e9a423-e9a42a call f6f511 1526->1529 1530 e9a413-e9a421 1526->1530 1529->1525 1530->1529 1534 e9a434-e9a439 call f747b0 1530->1534 1536->1489
              APIs
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: __fread_nolock
              • String ID:
              • API String ID: 2638373210-0
              • Opcode ID: c883d8104f7fea92100722174cb4c7c975409ea9e3a0d484f4364ea8b91af842
              • Instruction ID: 35cc63a75c90b994231203cf45e317d9ee0090e76e437ac7611749d81a485930
              • Opcode Fuzzy Hash: c883d8104f7fea92100722174cb4c7c975409ea9e3a0d484f4364ea8b91af842
              • Instruction Fuzzy Hash: 64B127B0900204AFDF18DF68CC45BAEBBE9EF41704F14856DF419AB682D7B9A941C7D2
              Function 00F84623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1543 f84623-f84633 1544 f8464d-f8464f 1543->1544 1545 f84635-f84648 call f7d22c call f7d23f 1543->1545 1547 f8498f-f8499c call f7d22c call f7d23f 1544->1547 1548 f84655-f8465b 1544->1548 1562 f849a7 1545->1562 1564 f849a2 call f747a0 1547->1564 1548->1547 1550 f84661-f8468a 1548->1550 1550->1547 1553 f84690-f84699 1550->1553 1556 f8469b-f846ae call f7d22c call f7d23f 1553->1556 1557 f846b3-f846b5 1553->1557 1556->1564 1560 f8498b-f8498d 1557->1560 1561 f846bb-f846bf 1557->1561 1566 f849aa-f849ad 1560->1566 1561->1560 1565 f846c5-f846c9 1561->1565 1562->1566 1564->1562 1565->1556 1569 f846cb-f846e2 1565->1569 1572 f846e4-f846e7 1569->1572 1573 f84717-f8471d 1569->1573 1576 f846e9-f846ef 1572->1576 1577 f8470d-f84715 1572->1577 1574 f8471f-f84726 1573->1574 1575 f846f1-f84708 call f7d22c call f7d23f call f747a0 1573->1575 1578 f84728 1574->1578 1579 f8472a-f84748 call f86e2d call f86db3 * 2 1574->1579 1608 f848c2 1575->1608 1576->1575 1576->1577 1581 f8478a-f847a9 1577->1581 1578->1579 1612 f8474a-f84760 call f7d23f call f7d22c 1579->1612 1613 f84765-f84788 call f7e13d 1579->1613 1582 f847af-f847bb 1581->1582 1583 f84865-f8486e call f90d44 1581->1583 1582->1583 1586 f847c1-f847c3 1582->1586 1597 f848df 1583->1597 1598 f84870-f84882 1583->1598 1586->1583 1590 f847c9-f847ea 1586->1590 1590->1583 1594 f847ec-f84802 1590->1594 1594->1583 1600 f84804-f84806 1594->1600 1599 f848e3-f848f9 ReadFile 1597->1599 1598->1597 1603 f84884-f84893 1598->1603 1604 f848fb-f84901 1599->1604 1605 f84957-f84962 1599->1605 1600->1583 1606 f84808-f8482b 1600->1606 1603->1597 1615 f84895-f84899 1603->1615 1604->1605 1610 f84903 1604->1610 1624 f8497b-f8497e 1605->1624 1625 f84964-f84976 call f7d23f call f7d22c 1605->1625 1606->1583 1611 f8482d-f84843 1606->1611 1614 f848c5-f848cf call f86db3 1608->1614 1617 f84906-f84918 1610->1617 1611->1583 1618 f84845-f84847 1611->1618 1612->1608 1613->1581 1614->1566 1615->1599 1623 f8489b-f848b3 1615->1623 1617->1614 1626 f8491a-f8491e 1617->1626 1618->1583 1627 f84849-f84860 1618->1627 1643 f848d4-f848dd 1623->1643 1644 f848b5 1623->1644 1633 f848bb-f848c1 call f7d1e5 1624->1633 1634 f84984-f84986 1624->1634 1625->1608 1631 f84920-f84930 call f84335 1626->1631 1632 f84937-f84944 1626->1632 1627->1583 1652 f84933-f84935 1631->1652 1640 f84950-f84955 call f8417b 1632->1640 1641 f84946 call f8448c 1632->1641 1633->1608 1634->1614 1653 f8494b-f8494e 1640->1653 1641->1653 1643->1617 1644->1633 1652->1614 1653->1652
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ac5d241bada5adaf53f154f21f9e7645feab7e38bebdaa6352bea9aa08c86b50
              • Instruction ID: 71a0d9fe606a3c9e3654a612426c6d7ae905507c70ef8b1b8e95adeab20b3c3b
              • Opcode Fuzzy Hash: ac5d241bada5adaf53f154f21f9e7645feab7e38bebdaa6352bea9aa08c86b50
              • Instruction Fuzzy Hash: CAB11671E0424AAFDF11EFA8D841BFEBBB1AF49310F144159E444AB282C775BD42EB61
              Function 00F8549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1654 f8549c-f854be 1655 f856b1 1654->1655 1656 f854c4-f854c6 1654->1656 1657 f856b3-f856b7 1655->1657 1658 f854c8-f854e7 call f74723 1656->1658 1659 f854f2-f85515 1656->1659 1665 f854ea-f854ed 1658->1665 1660 f8551b-f85521 1659->1660 1661 f85517-f85519 1659->1661 1660->1658 1664 f85523-f85534 1660->1664 1661->1660 1661->1664 1666 f85536-f85544 call f7e17d 1664->1666 1667 f85547-f85557 call f84fe1 1664->1667 1665->1657 1666->1667 1672 f85559-f8555f 1667->1672 1673 f855a0-f855b2 1667->1673 1676 f85588-f8559e call f84bb2 1672->1676 1677 f85561-f85564 1672->1677 1674 f85609-f85629 WriteFile 1673->1674 1675 f855b4-f855ba 1673->1675 1678 f8562b-f85631 1674->1678 1679 f85634 1674->1679 1681 f855bc-f855bf 1675->1681 1682 f855f5-f85607 call f8505e 1675->1682 1695 f85581-f85583 1676->1695 1683 f8556f-f8557e call f84f79 1677->1683 1684 f85566-f85569 1677->1684 1678->1679 1688 f85637-f85642 1679->1688 1689 f855e1-f855f3 call f85222 1681->1689 1690 f855c1-f855c4 1681->1690 1701 f855dc-f855df 1682->1701 1683->1695 1684->1683 1691 f85649-f8564c 1684->1691 1696 f856ac-f856af 1688->1696 1697 f85644-f85647 1688->1697 1689->1701 1698 f855ca-f855d7 call f85139 1690->1698 1699 f8564f-f85651 1690->1699 1691->1699 1695->1688 1696->1657 1697->1691 1698->1701 1703 f8567f-f8568b 1699->1703 1704 f85653-f85658 1699->1704 1701->1695 1706 f8568d-f85693 1703->1706 1707 f85695-f856a7 1703->1707 1708 f8565a-f8566c 1704->1708 1709 f85671-f8567a call f7d208 1704->1709 1706->1655 1706->1707 1707->1665 1708->1665 1709->1665
              APIs
              • WriteFile.KERNELBASE(?,00000000,00F79087,?,00000000,00000000,00000000,?,00000000,?,00F6E5B1,00F79087,00000000,00F6E5B1,?,?), ref: 00F85622
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: FileWrite
              • String ID:
              • API String ID: 3934441357-0
              • Opcode ID: 69e48a7b1b65ea67666eee5ce8a4985a4428ad12b48266b73d86a0b9d0aadb56
              • Instruction ID: 4edc72e45b72b788494eb50f7426596e4efeab2d3c79276a21c24daf82f0dcdc
              • Opcode Fuzzy Hash: 69e48a7b1b65ea67666eee5ce8a4985a4428ad12b48266b73d86a0b9d0aadb56
              • Instruction Fuzzy Hash: 9061C472D04519AFDF11EFA8CC44EEEBBBAAF49718F580145E804AB205D376D901EBA0
              Function 00F74942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1712 f74942-f7494f 1713 f74951-f74974 call f74723 1712->1713 1714 f74979-f7498d call f85f82 1712->1714 1719 f74ae0-f74ae2 1713->1719 1720 f74992-f7499b call f7e11f 1714->1720 1721 f7498f 1714->1721 1723 f749a0-f749af 1720->1723 1721->1720 1724 f749b1 1723->1724 1725 f749bf-f749c8 1723->1725 1728 f749b7-f749b9 1724->1728 1729 f74a89-f74a8e 1724->1729 1726 f749dc-f74a10 1725->1726 1727 f749ca-f749d7 1725->1727 1731 f74a12-f74a1c 1726->1731 1732 f74a6d-f74a79 1726->1732 1730 f74adc 1727->1730 1728->1725 1728->1729 1733 f74ade-f74adf 1729->1733 1730->1733 1734 f74a43-f74a4f 1731->1734 1735 f74a1e-f74a2a 1731->1735 1736 f74a90-f74a93 1732->1736 1737 f74a7b-f74a82 1732->1737 1733->1719 1734->1736 1740 f74a51-f74a6b call f74e59 1734->1740 1735->1734 1739 f74a2c-f74a3e call f74cae 1735->1739 1738 f74a96-f74a9e 1736->1738 1737->1729 1741 f74aa0-f74aa6 1738->1741 1742 f74ada 1738->1742 1739->1733 1740->1738 1745 f74abe-f74ac2 1741->1745 1746 f74aa8-f74abc call f74ae3 1741->1746 1742->1730 1750 f74ad5-f74ad7 1745->1750 1751 f74ac4-f74ad2 call f94a10 1745->1751 1746->1733 1750->1742 1751->1750
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d78ff1cf1a5fe9e37f37f694b754c0e9a79167784ae308d064960bdcc48c5d4a
              • Instruction ID: 2b5a453e1c5a6d49a6823a4b29fa72d2798730ed52ea56d0049daee44592ee43
              • Opcode Fuzzy Hash: d78ff1cf1a5fe9e37f37f694b754c0e9a79167784ae308d064960bdcc48c5d4a
              • Instruction Fuzzy Hash: 2C51E631A00108AFDF14CF58CC41EAABBB1EF49364F24C15AF84D9B252D335AE41EB91
              Function 00EFA350 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1755 efa350-efa364 1756 efa38e-efa394 1755->1756 1757 efa366-efa36b 1755->1757 1758 efa46d call e92270 1756->1758 1759 efa39a-efa3a5 1756->1759 1760 efa36f-efa38b call f70f70 1757->1760 1761 efa36d 1757->1761 1767 efa472-efa477 call e921d0 1758->1767 1763 efa3a7-efa3b4 1759->1763 1764 efa3d5-efa3df 1759->1764 1761->1760 1763->1764 1768 efa3b6-efa3ba 1763->1768 1769 efa3e2-efa3ef call f6f290 1764->1769 1771 efa3be-efa3c6 1768->1771 1772 efa3bc 1768->1772 1779 efa468 call f747b0 1769->1779 1780 efa3f1-efa3fa 1769->1780 1775 efa3fc-efa3fe 1771->1775 1776 efa3c8-efa3cd 1771->1776 1772->1771 1781 efa40b 1775->1781 1782 efa400-efa401 call f6f290 1775->1782 1776->1767 1778 efa3d3 1776->1778 1778->1769 1779->1758 1784 efa40d-efa430 call f70f70 1780->1784 1781->1784 1786 efa406-efa409 1782->1786 1789 efa45b-efa465 1784->1789 1790 efa432-efa43d 1784->1790 1786->1784 1791 efa43f-efa44d 1790->1791 1792 efa451-efa458 call f6f511 1790->1792 1791->1779 1793 efa44f 1791->1793 1792->1789 1793->1792
              APIs
              • Concurrency::cancel_current_task.LIBCPMT ref: 00EFA472
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Concurrency::cancel_current_task
              • String ID:
              • API String ID: 118556049-0
              • Opcode ID: 4ef009437b7ba5cefb7c7b7f7709c5d031e3a220ae5dbd6af41c3bc0398da16d
              • Instruction ID: 274acf1f1e1ebdfa3c8fa1762990dad8903925ab47dce715fd949eb1acb8991d
              • Opcode Fuzzy Hash: 4ef009437b7ba5cefb7c7b7f7709c5d031e3a220ae5dbd6af41c3bc0398da16d
              • Instruction Fuzzy Hash: 9E315CB16002089BDB289E68DC8497DB3D9DF44320B28523DFA6DDF392E6B0DD448752
              Function 00F84B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1796 f84b12-f84b26 call f8a6de 1799 f84b28-f84b2a 1796->1799 1800 f84b2c-f84b34 1796->1800 1801 f84b7a-f84b9a call f8a64d 1799->1801 1802 f84b3f-f84b42 1800->1802 1803 f84b36-f84b3d 1800->1803 1811 f84bac 1801->1811 1812 f84b9c-f84baa call f7d208 1801->1812 1806 f84b60-f84b70 call f8a6de FindCloseChangeNotification 1802->1806 1807 f84b44-f84b48 1802->1807 1803->1802 1805 f84b4a-f84b5e call f8a6de * 2 1803->1805 1805->1799 1805->1806 1806->1799 1818 f84b72-f84b78 1806->1818 1807->1805 1807->1806 1816 f84bae-f84bb1 1811->1816 1812->1816 1818->1801
              APIs
              • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00F849F9,00000000,CF830579,00FC1140,0000000C,00F84AB5,00F78BBD,?), ref: 00F84B69
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ChangeCloseFindNotification
              • String ID:
              • API String ID: 2591292051-0
              • Opcode ID: 9e60372669785515f5b52b68ec83e4c0c314e7f7366508e18617bcd9e5399e86
              • Instruction ID: 484db216c05496aa61c8cca407272c751e2467b071cf525c608877aa11e3d65e
              • Opcode Fuzzy Hash: 9e60372669785515f5b52b68ec83e4c0c314e7f7366508e18617bcd9e5399e86
              • Instruction Fuzzy Hash: DA114833E0412516E72472346D42BFE7749CBC2770F29065AF8189B0C2FE26EC417355
              Function 00F7E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1822 f7e05c-f7e074 call f8a6de 1825 f7e076-f7e07d 1822->1825 1826 f7e08a-f7e0a0 SetFilePointerEx 1822->1826 1827 f7e084-f7e088 1825->1827 1828 f7e0b5-f7e0bf 1826->1828 1829 f7e0a2-f7e0b3 call f7d208 1826->1829 1831 f7e0db-f7e0de 1827->1831 1828->1827 1830 f7e0c1-f7e0d6 1828->1830 1829->1827 1830->1831
              APIs
              • SetFilePointerEx.KERNELBASE(00000000,00000000,00FC0DF8,00F6E5B1,00000002,00F6E5B1,00000000,?,?,?,00F7E166,00000000,?,00F6E5B1,00000002,00FC0DF8), ref: 00F7E099
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: FilePointer
              • String ID:
              • API String ID: 973152223-0
              • Opcode ID: 7faa45ebc320e72d568d3e4a967b9dbf5d7f2d0710828d39a036e69e94dcb277
              • Instruction ID: dde69264cbbfbcfd35c3dc8968aad7010e9e2b3be43f5aa8bc97308b4910dceb
              • Opcode Fuzzy Hash: 7faa45ebc320e72d568d3e4a967b9dbf5d7f2d0710828d39a036e69e94dcb277
              • Instruction Fuzzy Hash: C4014932614119AFCF05CF18CC05DAE3B29DF89330F24428AF8549B291FAB2ED51ABD1
              Function 00F863F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1835 f863f3-f863fe 1836 f8640c-f86412 1835->1836 1837 f86400-f8640a 1835->1837 1839 f8642b-f8643c RtlAllocateHeap 1836->1839 1840 f86414-f86415 1836->1840 1837->1836 1838 f86440-f8644b call f7d23f 1837->1838 1844 f8644d-f8644f 1838->1844 1841 f8643e 1839->1841 1842 f86417-f8641e call f83f93 1839->1842 1840->1839 1841->1844 1842->1838 1848 f86420-f86429 call f817d8 1842->1848 1848->1838 1848->1839
              APIs
              • RtlAllocateHeap.NTDLL(00000008,00F6D6FA,00000004,?,00F85D79,00000001,00000364,00000004,00000007,000000FF,?,00F7067B,00000002,00000000,?,?), ref: 00F86435
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 9125968904c54331ac91650245811c5cdc7811c1c40e1a8527a4debf3b09d6bd
              • Instruction ID: 4763c0c5fba20ed8f3815bdc86e3041ef69a0f837058ede50588308312972583
              • Opcode Fuzzy Hash: 9125968904c54331ac91650245811c5cdc7811c1c40e1a8527a4debf3b09d6bd
              • Instruction Fuzzy Hash: 7AF0E932901224669F21FB629C06BDF3B49AF41774F258151AC08D7185CB30D80177F2
              Function 00F86E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 1851 f86e2d-f86e39 1852 f86e6b-f86e76 call f7d23f 1851->1852 1853 f86e3b-f86e3d 1851->1853 1860 f86e78-f86e7a 1852->1860 1855 f86e3f-f86e40 1853->1855 1856 f86e56-f86e67 RtlAllocateHeap 1853->1856 1855->1856 1857 f86e69 1856->1857 1858 f86e42-f86e49 call f83f93 1856->1858 1857->1860 1858->1852 1863 f86e4b-f86e54 call f817d8 1858->1863 1863->1852 1863->1856
              APIs
              • RtlAllocateHeap.NTDLL(00000000,00000004,00000000,?,00F7067B,00000002,00000000,?,?,?,00E9303D,00F6D6FA,00000004,00000000,00F6D6FA), ref: 00F86E60
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: AllocateHeap
              • String ID:
              • API String ID: 1279760036-0
              • Opcode ID: 609883d1444dd4bf1f33c914a7df8010d6defd4d4764a5095fe7b68cbcee3710
              • Instruction ID: 79545ba3e91c5e588a36fff17c42f0a61cc8e4d3e34d95432550c252053ff836
              • Opcode Fuzzy Hash: 609883d1444dd4bf1f33c914a7df8010d6defd4d4764a5095fe7b68cbcee3710
              • Instruction Fuzzy Hash: 62E0ED3A94062666EA303665CD05BDB764D9F827B0F050221AC04D6090CB20C801B3ED

              Non-executed Functions

              Function 00F784A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction ID: 479b5d94f9e241e8037babe72c6b2a225a56641f1ed01b957784788a47d98a90
              • Opcode Fuzzy Hash: 3f97ce6278b5da815f6c389bae476adc5dc884afc24939f4c376b69ad4ad6edd
              • Instruction Fuzzy Hash: CA025E71E402199BDF14CFA9D8846AEFBB1FF48364F24826AD519E7340DB31AD02DB91
              Function 00EFF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00EFF833
              • std::_Lockit::_Lockit.LIBCPMT ref: 00EFF855
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00EFF875
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00EFF89F
              • std::_Lockit::_Lockit.LIBCPMT ref: 00EFF90D
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00EFF959
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00EFF973
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00EFFA08
              • std::_Facet_Register.LIBCPMT ref: 00EFFA15
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
              • String ID: bad locale name$Ps
              • API String ID: 3375549084-1174896957
              • Opcode ID: b67b59ae85dd1e2feda532dbf144358123e6bc0fa9d21db55713ca8c4ff47b01
              • Instruction ID: 2ec514bf868ec0b4c3bf140326797140dcf277c5d243a1f512ef28f7261d9962
              • Opcode Fuzzy Hash: b67b59ae85dd1e2feda532dbf144358123e6bc0fa9d21db55713ca8c4ff47b01
              • Instruction Fuzzy Hash: 3E61C071E0024C9BEF10DFA4CC45BAEBBB4AF54354F144169E908BB381E775E905DBA2
              Function 00E97820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E9799A
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E97B75
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!$out_of_range$type_error
              • API String ID: 2659868963-4040272994
              • Opcode ID: 3b254256ae39cd0b3cb03a6ae4e723e642b5c49f877c4daf59210a138a88badd
              • Instruction ID: 0d461cb69da7d0533fe50c207455a32b35a3770314ecaf7fd4a4dbad7aaac679
              • Opcode Fuzzy Hash: 3b254256ae39cd0b3cb03a6ae4e723e642b5c49f877c4daf59210a138a88badd
              • Instruction Fuzzy Hash: 88C148B1D002089FDB18CFA8D884B9DBBF1FF48300F14866AE459EB746E7749984CB51
              Function 00E973B0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 184COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E975BE
              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E975CD
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: at line $, column $`!$yo
              • API String ID: 4194217158-1471347245
              • Opcode ID: cd12d789ca995067d95176a3b0be298907161a6833e50991e3a05c6e3de692be
              • Instruction ID: be2900e44c32f0ff114923509375c93e01bbaa629c8b4f6c62ff3d1734b216fd
              • Opcode Fuzzy Hash: cd12d789ca995067d95176a3b0be298907161a6833e50991e3a05c6e3de692be
              • Instruction Fuzzy Hash: C061E471A142049FDF08CF68DC85B9DBBB6FF44300F24862CE465A7B82D774AA48DB91
              Function 00E939F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • std::_Lockit::_Lockit.LIBCPMT ref: 00E93A58
              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E93AA4
              • __Getctype.LIBCPMT ref: 00E93ABA
              • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00E93AE6
              • std::_Lockit::~_Lockit.LIBCPMT ref: 00E93B7B
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
              • String ID: bad locale name
              • API String ID: 1840309910-1405518554
              • Opcode ID: d6d50fb859b606a26dadffe8741d34d7112cbf235989e032549a26929e0b5f3d
              • Instruction ID: 6de24d5303ec1a59b5e791288b45428570ad59614dbf588bd90ff9c18871ada0
              • Opcode Fuzzy Hash: d6d50fb859b606a26dadffe8741d34d7112cbf235989e032549a26929e0b5f3d
              • Instruction Fuzzy Hash: 815161B5D002089FEF10DFA4DC45B9EBBB8BF14314F148169E809AB341E779DA04DB62
              Function 00E9B1A0 Relevance: 10.6, APIs: 7, Instructions: 133memoryCOMMON
              Download Yara Rule
              APIs
              • LocalAlloc.KERNEL32(00000040,0000001C), ref: 00E9B1F0
              • LocalAlloc.KERNEL32(00000040,0000001C,?,00000000,00000000), ref: 00E9B239
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,00000000,00000000,00000000,?,00000000), ref: 00E9B26D
              • SetupDiGetDeviceInterfaceDetailA.SETUPAPI(?,?,00000000,?,00000000,00000000), ref: 00E9B28F
              • LocalFree.KERNEL32(?,?,?,?,?,00000000,?,00000000,00000000), ref: 00E9B2C0
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 00E9B2C5
              • LocalFree.KERNEL32(?,?,?,00000000,?,00000000,00000000), ref: 00E9B2C8
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: Local$Free$AllocDetailDeviceInterfaceSetup
              • String ID:
              • API String ID: 4232148138-0
              • Opcode ID: 0006b966c15d96ee19fce0d7d9d95e73b94419d4cb377804ff9db7e42d3850d6
              • Instruction ID: a25ddd7d01d4a72c5f882c5f621e82aacf4ae3aaa0449daa64cb36c1b50e3465
              • Opcode Fuzzy Hash: 0006b966c15d96ee19fce0d7d9d95e73b94419d4cb377804ff9db7e42d3850d6
              • Instruction Fuzzy Hash: 89413CB1A40309AFDB20DFA9DD41BAEBBF8EB48700F10452AE559E7690E775A900CB50
              Function 00E93190 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 170COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E932C6
              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E93350
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy___std_exception_destroy
              • String ID: @3$`!$`!
              • API String ID: 2970364248-2742226070
              • Opcode ID: 2afc83424cb66ffba34a8f157252a7e042b8b3e747719f49a01486a63d250b45
              • Instruction ID: 7398352e1e4e7b2fb6be08913d18bc85a5a7c108aada1c3f0e439cfd49cae1e8
              • Opcode Fuzzy Hash: 2afc83424cb66ffba34a8f157252a7e042b8b3e747719f49a01486a63d250b45
              • Instruction Fuzzy Hash: 1F516B719002189FDF08CFA8DC85BAEBBB5FF48300F14812AE819A7391D774AA458B91
              Function 00E93370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
              Download Yara Rule
              APIs
                • Part of subcall function 00E93190: ___std_exception_copy.LIBVCRUNTIME ref: 00E932C6
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E9345F
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: +4$@3$@3$`!
              • API String ID: 2659868963-2319638956
              • Opcode ID: 36fcd618d650d030287714ede2a74853e55345c8abc89db1ed17d12918117c3a
              • Instruction ID: fb88e0a51ca5c3b1aa8efe9b0cc1d0b7eec60f1484ae6fb1fa0ddeaa3c92d68d
              • Opcode Fuzzy Hash: 36fcd618d650d030287714ede2a74853e55345c8abc89db1ed17d12918117c3a
              • Instruction Fuzzy Hash: 7131A3B19002099FCB18DFA8D841A9EFBF8FF08310F10852AE519E7A51E774AA54CB91
              Function 00EFD050 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00EFD06F
              • ___std_exception_copy.LIBVCRUNTIME ref: 00EFD096
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!$u
              • API String ID: 2659868963-3642976717
              • Opcode ID: b7322ed04a608dfb1d9bd34c64db4116c90ec3861d6e2f8abaa7e7afa2b5e9fc
              • Instruction ID: 8b43ad70960fb3cd55a5099f45cc26284be62af92b7f343d2b5af75c4a65c205
              • Opcode Fuzzy Hash: b7322ed04a608dfb1d9bd34c64db4116c90ec3861d6e2f8abaa7e7afa2b5e9fc
              • Instruction Fuzzy Hash: D501A4B6600606AF9708DF59D805882FBF8FF48710715852BA529CBB11E7B0E528DFA0
              Function 00E96C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
              Download Yara Rule
              APIs
              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E96F11
              • ___std_exception_destroy.LIBVCRUNTIME ref: 00E96F20
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_destroy
              • String ID: [json.exception.$`!
              • API String ID: 4194217158-2932383579
              • Opcode ID: af86e7cd6517537971d08ad8f6364e331cb804e614df5520623f352f8659cf84
              • Instruction ID: ae1e4e7068ff0492084bbace1afd9ddefab11db93f67ffb067061d64c77d2660
              • Opcode Fuzzy Hash: af86e7cd6517537971d08ad8f6364e331cb804e614df5520623f352f8659cf84
              • Instruction Fuzzy Hash: 4691D370A002049FDF18CF68D884B9EBBF2FF44300F24866DE419AB792D775AA85CB51
              Function 00E97BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E97D67
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!$other_error
              • API String ID: 2659868963-2644867674
              • Opcode ID: 5eadb912d71f05a3a005015045dd63041ffcdc76834c623737482bc6c31fc771
              • Instruction ID: 73eae4f64d0c66f9c5ed358fd589531209ac03f9df7d788c3b7a8f8000c8b81f
              • Opcode Fuzzy Hash: 5eadb912d71f05a3a005015045dd63041ffcdc76834c623737482bc6c31fc771
              • Instruction Fuzzy Hash: 885168B0D102488FDB18CFA8D88479DBBF1FF49300F14866AE459EB786E774A984CB51
              Function 00E95010 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E950C8
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3$`!$recursive_directory_iterator::operator++
              • API String ID: 2659868963-3572337925
              • Opcode ID: f66f769defbead6f5cbfb4dc7c46667c4563559a90595d549b8646d11c1156e9
              • Instruction ID: 8e9871e79b66368d486a5fa11198e446912d2d2f276a7ac44dab807614c9d4ed
              • Opcode Fuzzy Hash: f66f769defbead6f5cbfb4dc7c46667c4563559a90595d549b8646d11c1156e9
              • Instruction Fuzzy Hash: FD3190B5800608EBCB10DF54DD41F86BBF8FB04710F04866AE919A3781DB74BA14CBA1
              Function 00F0B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00F0B3DF
              • ___std_exception_copy.LIBVCRUNTIME ref: 00F0B406
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!
              • API String ID: 2659868963-1501952390
              • Opcode ID: b4700d971925b1c1f57e41953e3803267872d8fea2028b7e64881b106f6af283
              • Instruction ID: fde89e0158bfb70fbe9d0046e6a13ef26184c548ee4bf69fa685bcbbb934d7af
              • Opcode Fuzzy Hash: b4700d971925b1c1f57e41953e3803267872d8fea2028b7e64881b106f6af283
              • Instruction Fuzzy Hash: 7DF0C4B6500606AF8708DF59D815886BBE8FF44710315852BE52ACBB02E7B0E528DFA0
              Function 00E9D8B9 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 377COMMON
              Download Yara Rule
              APIs
              • Process32Next.KERNEL32(00000000,00000128), ref: 00E9DAB0
              • Process32Next.KERNEL32(00000000,?), ref: 00E9DAF8
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: NextProcess32
              • String ID: ?
              • API String ID: 1850201408-1684325040
              • Opcode ID: 376537450a45c237c46892e10b128886a8bb30525fbfa40f26ee19dd7cc14681
              • Instruction ID: de0792755d57bd0f23a1d26e294e1eefc49e1af3ba408b2ed6a42f59d50fc57f
              • Opcode Fuzzy Hash: 376537450a45c237c46892e10b128886a8bb30525fbfa40f26ee19dd7cc14681
              • Instruction Fuzzy Hash: BEF17DB181522DAAEF25EB90CC45BEEB7B8EF15304F4010D9E549B6241EB705B88CF62
              Function 00E93490 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E934AF
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: @3$`!
              • API String ID: 2659868963-4232193924
              • Opcode ID: 892beb1d871fdecc5f01c7a286c4b0ff863c10d43989186ad05f301e3fcf4823
              • Instruction ID: db0c8e4c7b6c47969d790434ac53f4cccebccacfd300055cc950c39e11a8071b
              • Opcode Fuzzy Hash: 892beb1d871fdecc5f01c7a286c4b0ff863c10d43989186ad05f301e3fcf4823
              • Instruction Fuzzy Hash: F4F0A5B6604705AF8708CF59D801886FBE8FF59310305C53BE529C7B01E7B0E9288BA4
              Function 00E93050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E93078
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!
              • API String ID: 2659868963-1501952390
              • Opcode ID: c3080a1251a1637fa7bd918a41d966a803a42c8db70027c191beb7ac886568e5
              • Instruction ID: d06e843b5afafe70ed7a35c351a031990489bbf166bf2212e1790088169686e5
              • Opcode Fuzzy Hash: c3080a1251a1637fa7bd918a41d966a803a42c8db70027c191beb7ac886568e5
              • Instruction Fuzzy Hash: 39E0EDB29012089BC710DFA8D80598AFBE8AB19701F1586AAE948D7301FAB095589BD1
              Function 00E93090 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E930AE
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!
              • API String ID: 2659868963-1501952390
              • Opcode ID: 2e4e9eca6640e4bc6ac4a3bacd860371f81a87fbff56cf93204a9bfbd5f7b56b
              • Instruction ID: a8d1f59a9e0cdc3b585cb49d091c8378f070c738ee6cb8d6e9d3afc1c90a8eeb
              • Opcode Fuzzy Hash: 2e4e9eca6640e4bc6ac4a3bacd860371f81a87fbff56cf93204a9bfbd5f7b56b
              • Instruction Fuzzy Hash: A0E012B25042149FD714DF48DC05846BBDCDF05754705843FF54DDB301E670D8149BA8
              Function 00E92230 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
              Download Yara Rule
              APIs
              • ___std_exception_copy.LIBVCRUNTIME ref: 00E9224E
              Strings
              Memory Dump Source
              • Source File: 00000007.00000002.2907795956.0000000000E91000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E90000, based on PE: true
              • Associated: 00000007.00000002.2907743147.0000000000E90000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2907795956.0000000000FC3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908156570.0000000000FC8000.00000008.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908232459.0000000000FCB000.00000004.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908286537.0000000000FCC000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908346929.0000000000FD8000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908661625.0000000001139000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908724803.000000000113B000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.0000000001150000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908810094.000000000115E000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908921946.0000000001163000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2908954101.0000000001165000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909031254.000000000118C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909089565.000000000118D000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909133057.0000000001197000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909191877.00000000011A3000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909296628.00000000011BD000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011C0000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.00000000011FD000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909353984.0000000001201000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909634093.000000000122B000.00000040.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.000000000122C000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909695678.0000000001232000.00000080.00000001.01000000.00000005.sdmpDownload File
              • Associated: 00000007.00000002.2909821477.0000000001242000.00000040.00000001.01000000.00000005.sdmpDownload File
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_7_2_e90000_RageMP131.jbxd
              Yara matches
              Similarity
              • API ID: ___std_exception_copy
              • String ID: `!$`!
              • API String ID: 2659868963-1501952390
              • Opcode ID: 442d430827f584aa73dd38b20bde1aca3e4828d8d67617760ee36a563c85977c
              • Instruction ID: 04183974d1632aec0deff8f921eea4628542599e706a7a03ad93113ea1fd918b
              • Opcode Fuzzy Hash: 442d430827f584aa73dd38b20bde1aca3e4828d8d67617760ee36a563c85977c
              • Instruction Fuzzy Hash: A3E012B29042149BDB14DF48DC01846BBDCDF05754705843FF549DB301E770D8149BA4