Edit tour

Windows Analysis Report
LisectAVT_2403002A_140.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_140.exe
Analysis ID:	1482502
MD5:	8623f3410c6571a3880ed83c11197518
SHA1:	35396e27d5528a5c4740a93be024ec11db698df2
SHA256:	421f1f9e96fc1d6d553fa47a0ae79c23751471a02174524465eff1f6ec1fe897
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_140.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_140.exe" MD5: 8623F3410C6571A3880ED83C11197518)

schtasks.exe (PID: 7252 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7300 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 7348 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 8623F3410C6571A3880ED83C11197518)

MPGPH131.exe (PID: 7356 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 8623F3410C6571A3880ED83C11197518)

RageMP131.exe (PID: 7644 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 8623F3410C6571A3880ED83C11197518)

RageMP131.exe (PID: 8008 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 8623F3410C6571A3880ED83C11197518)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_140.exe PID: 5440	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7348	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7356	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7644	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 8008	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe, ProcessId: 5440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:39.250102+0200
SID:	2046269
Source Port:	49740
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:23.985535+0200
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.127.169.103 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T23:55:09.658050+0200
SID:	2022930
Source Port:	443
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:15.323291+0200
SID:	2049060
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:23.985696+0200
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:32.109492+0200
SID:	2046269
Source Port:	49734
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:18.312575+0200
SID:	2046269
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T23:54:21.006750+0200
SID:	2049060
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T23:54:30.562029+0200
SID:	2022930
Source Port:	443
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_140.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: TR/Redcap.dchmo
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: TR/Redcap.dchmo

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_140.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_140.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.233.132.74:58709

Source: Joe Sandbox View

IP Address: 193.233.132.74 193.233.132.74

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Code function: 0_2_00D3E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,

0_2_00D3E0A0

Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.000000000181E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4147850074.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4148390163.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT;
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTR

System Summary

PE file contains section with special chars

Source: LisectAVT_2403002A_140.exe	Static PE information: section name:
Source: LisectAVT_2403002A_140.exe	Static PE information: section name: .idata
Source: LisectAVT_2403002A_140.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00DA9880	0_2_00DA9880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D950B0	0_2_00D950B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00E19824	0_2_00E19824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D291A0	0_2_00D291A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D973F0	0_2_00D973F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00E02CE0	0_2_00E02CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D224F0	0_2_00D224F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00E084A0	0_2_00E084A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00E0646A	0_2_00E0646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00DA55B0	0_2_00DA55B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00DA6550	0_2_00DA6550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D28D70	0_2_00D28D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00E0BEAF	0_2_00E0BEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D39F50	0_2_00D39F50
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00E1F771	0_2_00E1F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A950B0	5_2_00A950B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00AA9880	5_2_00AA9880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B19824	5_2_00B19824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A291A0	5_2_00A291A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A973F0	5_2_00A973F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B084A0	5_2_00B084A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B02CE0	5_2_00B02CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A224F0	5_2_00A224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B0646A	5_2_00B0646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00AA55B0	5_2_00AA55B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A28D70	5_2_00A28D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00AA6550	5_2_00AA6550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B0BEAF	5_2_00B0BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00B1F771	5_2_00B1F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A39F50	5_2_00A39F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A950B0	6_2_00A950B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00AA9880	6_2_00AA9880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00B19824	6_2_00B19824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A291A0	6_2_00A291A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A973F0	6_2_00A973F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00B084A0	6_2_00B084A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00B02CE0	6_2_00B02CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A224F0	6_2_00A224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00B0646A	6_2_00B0646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00AA55B0	6_2_00AA55B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A28D70	6_2_00A28D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00AA6550	6_2_00AA6550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00B0BEAF	6_2_00B0BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00B1F771	6_2_00B1F771
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A39F50	6_2_00A39F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003B9824	7_2_003B9824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003350B0	7_2_003350B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00349880	7_2_00349880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002C91A0	7_2_002C91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003373F0	7_2_003373F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003A646A	7_2_003A646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003A84A0	7_2_003A84A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003A2CE0	7_2_003A2CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002C24F0	7_2_002C24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002C8D70	7_2_002C8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00346550	7_2_00346550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003455B0	7_2_003455B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003ABEAF	7_2_003ABEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_003BF771	7_2_003BF771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002D9F50	7_2_002D9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003B9824	11_2_003B9824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003350B0	11_2_003350B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00349880	11_2_00349880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_002C91A0	11_2_002C91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003373F0	11_2_003373F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003A646A	11_2_003A646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003A84A0	11_2_003A84A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003A2CE0	11_2_003A2CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_002C24F0	11_2_002C24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_002C8D70	11_2_002C8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00346550	11_2_00346550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003455B0	11_2_003455B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003ABEAF	11_2_003ABEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_003BF771	11_2_003BF771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_002D9F50	11_2_002D9F50

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 0039FED0 appears 52 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00AFFED0 appears 52 times

Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4152424609.00000000055E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_140.exe
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_140.exe
Source: LisectAVT_2403002A_140.exe	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_140.exe

Source: LisectAVT_2403002A_140.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002A_140.exe	Static PE information: Section: ZLIB complexity 0.9993574134199135
Source: LisectAVT_2403002A_140.exe	Static PE information: Section: yxaifgwn ZLIB complexity 0.9896825177147919
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9993574134199135
Source: RageMP131.exe.0.dr	Static PE information: Section: yxaifgwn ZLIB complexity 0.9896825177147919
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9993574134199135
Source: MPGPH131.exe.0.dr	Static PE information: Section: yxaifgwn ZLIB complexity 0.9896825177147919

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7308:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Command line argument: nI	0_2_00E248C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Command line argument: nI<	7_2_003C48C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Command line argument: nI<	11_2_003C48C0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: LisectAVT_2403002A_140.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe "C:\Users\user\Desktop\LisectAVT_2403002A_140.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002A_140.exe

Static file information: File size 2334728 > 1048576

Source: LisectAVT_2403002A_140.exe

Static PE information: Raw size of yxaifgwn is bigger than: 0x100000 < 0x1a7600

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Unpacked PE file: 0.2.LisectAVT_2403002A_140.exe.d20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.a20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.a20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 7.2.RageMP131.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 11.2.RageMP131.exe.2c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW; vs :ER;.rsrc:W;.idata :W; :EW;yxaifgwn:EW;yvccconk:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: yvccconk

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x23c767 should be: 0x23c76f
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x23c767 should be: 0x23c76f
Source: LisectAVT_2403002A_140.exe	Static PE information: real checksum: 0x23c767 should be: 0x23c76f

Source: LisectAVT_2403002A_140.exe	Static PE information: section name:
Source: LisectAVT_2403002A_140.exe	Static PE information: section name: .idata
Source: LisectAVT_2403002A_140.exe	Static PE information: section name:
Source: LisectAVT_2403002A_140.exe	Static PE information: section name: yxaifgwn
Source: LisectAVT_2403002A_140.exe	Static PE information: section name: yvccconk
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: yxaifgwn
Source: RageMP131.exe.0.dr	Static PE information: section name: yvccconk
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: yxaifgwn
Source: MPGPH131.exe.0.dr	Static PE information: section name: yvccconk

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C21BD push 6955E4D9h; mov dword ptr [esp], ecx	0_2_012C21C2
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C21BD push ecx; mov dword ptr [esp], 7BCBAC04h	0_2_012C21E8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C21BD push ecx; mov dword ptr [esp], eax	0_2_012C21FA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C2000 push eax; mov dword ptr [esp], 7F4E0ED2h	0_2_012C2001
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C2000 push ebp; mov dword ptr [esp], 745DEF78h	0_2_012C2016
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C2000 push 78960941h; mov dword ptr [esp], esi	0_2_012C20EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C2000 push eax; mov dword ptr [esp], 5DEDB1E5h	0_2_012C2115
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C2046 push 78960941h; mov dword ptr [esp], esi	0_2_012C20EA
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_012C2046 push eax; mov dword ptr [esp], 5DEDB1E5h	0_2_012C2115
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00DFFA97 push ecx; ret	0_2_00DFFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC2046 push 78960941h; mov dword ptr [esp], esi	5_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC2046 push eax; mov dword ptr [esp], 5DEDB1E5h	5_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC2000 push eax; mov dword ptr [esp], 7F4E0ED2h	5_2_00FC2001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC2000 push ebp; mov dword ptr [esp], 745DEF78h	5_2_00FC2016
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC2000 push 78960941h; mov dword ptr [esp], esi	5_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC2000 push eax; mov dword ptr [esp], 5DEDB1E5h	5_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC21BD push 6955E4D9h; mov dword ptr [esp], ecx	5_2_00FC21C2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC21BD push ecx; mov dword ptr [esp], 7BCBAC04h	5_2_00FC21E8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00FC21BD push ecx; mov dword ptr [esp], eax	5_2_00FC21FA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00AFFA97 push ecx; ret	5_2_00AFFAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC2046 push 78960941h; mov dword ptr [esp], esi	6_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC2046 push eax; mov dword ptr [esp], 5DEDB1E5h	6_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC2000 push eax; mov dword ptr [esp], 7F4E0ED2h	6_2_00FC2001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC2000 push ebp; mov dword ptr [esp], 745DEF78h	6_2_00FC2016
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC2000 push 78960941h; mov dword ptr [esp], esi	6_2_00FC20EA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC2000 push eax; mov dword ptr [esp], 5DEDB1E5h	6_2_00FC2115
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC21BD push 6955E4D9h; mov dword ptr [esp], ecx	6_2_00FC21C2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC21BD push ecx; mov dword ptr [esp], 7BCBAC04h	6_2_00FC21E8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC21BD push ecx; mov dword ptr [esp], eax	6_2_00FC21FA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00AFFA97 push ecx; ret	6_2_00AFFAAA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00862000 push eax; mov dword ptr [esp], 7F4E0ED2h	7_2_00862001

Source: LisectAVT_2403002A_140.exe	Static PE information: section name: entropy: 7.988366600079935
Source: LisectAVT_2403002A_140.exe	Static PE information: section name: yxaifgwn entropy: 7.949631188388849
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.988366600079935
Source: RageMP131.exe.0.dr	Static PE information: section name: yxaifgwn entropy: 7.949631188388849
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.988366600079935
Source: MPGPH131.exe.0.dr	Static PE information: section name: yxaifgwn entropy: 7.949631188388849

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_5-19710
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_0-20157
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_7-18161

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: E603D1 second address: E5FC69 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38F8h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f add dword ptr [ebp+122D17BDh], edx 0x00000015 push dword ptr [ebp+122D0BF1h] 0x0000001b pushad 0x0000001c mov eax, dword ptr [ebp+122D2B70h] 0x00000022 mov eax, dword ptr [ebp+122D2BC8h] 0x00000028 popad 0x00000029 call dword ptr [ebp+122D17C2h] 0x0000002f pushad 0x00000030 jmp 00007FF158DB3909h 0x00000035 jmp 00007FF158DB3907h 0x0000003a xor eax, eax 0x0000003c stc 0x0000003d mov edx, dword ptr [esp+28h] 0x00000041 jno 00007FF158DB38FEh 0x00000047 mov dword ptr [ebp+122D29E0h], eax 0x0000004d jmp 00007FF158DB3905h 0x00000052 mov esi, 0000003Ch 0x00000057 mov dword ptr [ebp+122D1FFBh], edi 0x0000005d jmp 00007FF158DB3909h 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 sub dword ptr [ebp+122D1FFBh], edx 0x0000006c lodsw 0x0000006e jmp 00007FF158DB3900h 0x00000073 add eax, dword ptr [esp+24h] 0x00000077 or dword ptr [ebp+122D192Fh], esi 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 xor dword ptr [ebp+122D2850h], edi 0x00000087 jno 00007FF158DB390Ah 0x0000008d push eax 0x0000008e push eax 0x0000008f push edx 0x00000090 jmp 00007FF158DB3904h 0x00000095 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0790 second address: FE07CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007FF158548898h 0x0000000e push 00000000h 0x00000010 xor ecx, dword ptr [ebp+122D38B4h] 0x00000016 push 2D083B55h 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF15854888Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE07CC second address: FE07D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE09C8 second address: FE0A62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FF158548891h 0x0000000c popad 0x0000000d add dword ptr [esp], 326D3141h 0x00000014 mov ecx, dword ptr [ebp+122D2C74h] 0x0000001a xor dword ptr [ebp+122D1864h], ebx 0x00000020 push 00000003h 0x00000022 mov esi, dword ptr [ebp+122D1860h] 0x00000028 mov di, cx 0x0000002b push 00000000h 0x0000002d jmp 00007FF158548891h 0x00000032 push 00000003h 0x00000034 movzx edx, bx 0x00000037 push 679ED040h 0x0000003c push ecx 0x0000003d jmp 00007FF158548895h 0x00000042 pop ecx 0x00000043 add dword ptr [esp], 58612FC0h 0x0000004a and si, 2711h 0x0000004f lea ebx, dword ptr [ebp+1245468Ah] 0x00000055 jmp 00007FF158548892h 0x0000005a xchg eax, ebx 0x0000005b push eax 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f jnc 00007FF158548886h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0A62 second address: FE0A6C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0A6C second address: FE0A88 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158548891h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0B27 second address: FE0B3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnc 00007FF158DB38F6h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0B3C second address: FE0B85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548893h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FF158548888h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 push 00000000h 0x00000027 xor dword ptr [ebp+122D1BCFh], ebx 0x0000002d push 922D7AF7h 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 pop eax 0x00000038 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0B85 second address: FE0B8B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FE0C7A second address: FE0C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF15854888Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FF1B5D second address: FF1B63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FF1B63 second address: FF1B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF4A1 second address: FFF4B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007FF158DB38F6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF4B5 second address: FFF4BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF4BA second address: FFF4D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3904h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF4D4 second address: FFF4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF7AF second address: FFF7BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF7BF second address: FFF7D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b je 00007FF15854888Eh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFF98B second address: FFF997 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF158DB38FEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFFAF2 second address: FFFB14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158548898h 0x00000009 jbe 00007FF158548886h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFFB14 second address: FFFB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFFEDA second address: FFFF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF158548894h 0x0000000a pop edi 0x0000000b pushad 0x0000000c push esi 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop esi 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FFFF00 second address: FFFF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10001A1 second address: 10001AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF158548886h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10001AB second address: 10001C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3902h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF158DB3902h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1000308 second address: 100030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100030C second address: 100032E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF158DB3907h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FD4DF7 second address: FD4E17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF158548890h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FF158548886h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FD4E17 second address: FD4E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1000BE3 second address: 1000BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1000BF4 second address: 1000BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1000BF9 second address: 1000BFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1001072 second address: 1001077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FC92D3 second address: FC92F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548892h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007FF15854888Ah 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1008F59 second address: 1008F5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1007800 second address: 1007804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100CA2E second address: 100CA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100CA32 second address: 100CA3E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100CA3E second address: 100CA42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100CA42 second address: 100CA46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100CFB3 second address: 100CFBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100D2A1 second address: 100D2C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548892h 0x00000007 jnl 00007FF158548886h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100E37A second address: 100E393 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FF158DB38F8h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100E393 second address: 100E399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100E602 second address: 100E63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB3908h 0x00000009 popad 0x0000000a jmp 00007FF158DB3904h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FF158DB38F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100E63E second address: 100E642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100E70D second address: 100E711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100E711 second address: 100E715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100EA6A second address: 100EA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100EF20 second address: 100EF24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100EF24 second address: 100EF28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100F0B5 second address: 100F0CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FF15854888Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100F0CA second address: 100F0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100F36E second address: 100F374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 100F374 second address: 100F379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101045E second address: 10104C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FF158548886h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007FF158548898h 0x00000014 nop 0x00000015 jmp 00007FF158548891h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FF158548888h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000015h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 push 00000000h 0x00000038 mov esi, dword ptr [ebp+122D2CECh] 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 push ecx 0x00000042 pushad 0x00000043 popad 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1010C7E second address: 1010C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1011EB7 second address: 1011EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1012999 second address: 10129A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10129A3 second address: 10129FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b or dword ptr [ebp+122D2EADh], ebx 0x00000011 push 00000000h 0x00000013 movzx esi, ax 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push ecx 0x0000001b call 00007FF158548888h 0x00000020 pop ecx 0x00000021 mov dword ptr [esp+04h], ecx 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc ecx 0x0000002e push ecx 0x0000002f ret 0x00000030 pop ecx 0x00000031 ret 0x00000032 jmp 00007FF158548890h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FF15854888Ah 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10129FD second address: 1012A07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10131DE second address: 10131F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158548893h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10149CF second address: 1014A43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007FF158DB38F8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 mov si, 332Dh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push esi 0x0000002e call 00007FF158DB38F8h 0x00000033 pop esi 0x00000034 mov dword ptr [esp+04h], esi 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc esi 0x00000041 push esi 0x00000042 ret 0x00000043 pop esi 0x00000044 ret 0x00000045 mov esi, eax 0x00000047 push 00000000h 0x00000049 clc 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e jmp 00007FF158DB3903h 0x00000053 pop eax 0x00000054 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1014A43 second address: 1014A48 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10176F1 second address: 10176F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10147A6 second address: 10147B0 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF15854888Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1017C98 second address: 1017C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1017C9D second address: 1017CA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FF158548886h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1017CA8 second address: 1017CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007FF158DB38FCh 0x0000000f jnl 00007FF158DB38F6h 0x00000015 popad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1018EDC second address: 1018EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101BEE1 second address: 101BEE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101B045 second address: 101B063 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548890h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007FF158548886h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101B063 second address: 101B067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101CE15 second address: 101CE28 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jg 00007FF158548886h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101C034 second address: 101C038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101CE28 second address: 101CE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 cld 0x0000000a push 00000000h 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FF158548888h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov edi, 54D955E5h 0x0000002d jmp 00007FF15854888Bh 0x00000032 xchg eax, esi 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 pop esi 0x00000039 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101C038 second address: 101C0C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push edi 0x0000000a call 00007FF158DB38F8h 0x0000000f pop edi 0x00000010 mov dword ptr [esp+04h], edi 0x00000014 add dword ptr [esp+04h], 00000018h 0x0000001c inc edi 0x0000001d push edi 0x0000001e ret 0x0000001f pop edi 0x00000020 ret 0x00000021 mov dword ptr [ebp+122D2846h], ecx 0x00000027 push dword ptr fs:[00000000h] 0x0000002e add dword ptr [ebp+122D2DAEh], edx 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b mov ebx, dword ptr [ebp+122D2AE0h] 0x00000041 mov eax, dword ptr [ebp+122D153Dh] 0x00000047 mov edi, ecx 0x00000049 push FFFFFFFFh 0x0000004b call 00007FF158DB3902h 0x00000050 or dword ptr [ebp+122D183Bh], ecx 0x00000056 pop ebx 0x00000057 nop 0x00000058 jg 00007FF158DB3902h 0x0000005e jp 00007FF158DB38FCh 0x00000064 jg 00007FF158DB38F6h 0x0000006a push eax 0x0000006b pushad 0x0000006c jng 00007FF158DB38FCh 0x00000072 push esi 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101CE6F second address: 101CE79 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101DE6A second address: 101DE7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB3901h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101CFDF second address: 101CFE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101CFE5 second address: 101CFE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 101CFE9 second address: 101CFFB instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1020F3B second address: 1020F45 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1023115 second address: 102311F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1025038 second address: 102503C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 102428C second address: 1024292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 102503C second address: 1025055 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FF158DB38F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1025055 second address: 10250E4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebp 0x0000000d call 00007FF158548888h 0x00000012 pop ebp 0x00000013 mov dword ptr [esp+04h], ebp 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc ebp 0x00000020 push ebp 0x00000021 ret 0x00000022 pop ebp 0x00000023 ret 0x00000024 jmp 00007FF15854888Eh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ecx 0x0000002e call 00007FF158548888h 0x00000033 pop ecx 0x00000034 mov dword ptr [esp+04h], ecx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ecx 0x00000041 push ecx 0x00000042 ret 0x00000043 pop ecx 0x00000044 ret 0x00000045 push eax 0x00000046 call 00007FF15854888Fh 0x0000004b and edi, dword ptr [ebp+122D2AB8h] 0x00000051 pop ebx 0x00000052 pop ebx 0x00000053 push 00000000h 0x00000055 xchg eax, esi 0x00000056 push eax 0x00000057 jg 00007FF15854888Ch 0x0000005d jg 00007FF158548886h 0x00000063 pop eax 0x00000064 push eax 0x00000065 push ecx 0x00000066 jl 00007FF15854888Ch 0x0000006c push eax 0x0000006d push edx 0x0000006e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1027179 second address: 102717D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1025237 second address: 102523C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 102523C second address: 1025259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF158DB3903h 0x00000010 jmp 00007FF158DB38FDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1025259 second address: 1025307 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FF15854888Eh 0x0000000f jmp 00007FF158548896h 0x00000014 push dword ptr fs:[00000000h] 0x0000001b jc 00007FF1585488A0h 0x00000021 call 00007FF158548893h 0x00000026 sub dword ptr [ebp+122D3366h], edi 0x0000002c pop ebx 0x0000002d mov dword ptr fs:[00000000h], esp 0x00000034 push 00000000h 0x00000036 push eax 0x00000037 call 00007FF158548888h 0x0000003c pop eax 0x0000003d mov dword ptr [esp+04h], eax 0x00000041 add dword ptr [esp+04h], 00000016h 0x00000049 inc eax 0x0000004a push eax 0x0000004b ret 0x0000004c pop eax 0x0000004d ret 0x0000004e mov edi, dword ptr [ebp+1247DC54h] 0x00000054 mov eax, dword ptr [ebp+122D1439h] 0x0000005a mov di, cx 0x0000005d push FFFFFFFFh 0x0000005f mov dword ptr [ebp+122D192Fh], edx 0x00000065 nop 0x00000066 push eax 0x00000067 je 00007FF158548888h 0x0000006d push eax 0x0000006e pop eax 0x0000006f pop eax 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1025307 second address: 1025312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF158DB38F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1027892 second address: 10278A7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10285A6 second address: 10285AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10278A7 second address: 10278AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 102ABB6 second address: 102ABBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103817E second address: 1038182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1038182 second address: 1038186 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1038186 second address: 103818C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103818C second address: 10381B2 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB3900h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007FF158DB38FCh 0x00000016 je 00007FF158DB38F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10381B2 second address: 10381C6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FF158548886h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10381C6 second address: 10381D0 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10381D0 second address: 10381D5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10381D5 second address: 10381EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FF158DB38F8h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103836D second address: 1038371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1038371 second address: 1038377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1038377 second address: 10383B9 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158548896h 0x00000008 jmp 00007FF158548890h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 ja 00007FF15854888Ah 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007FF158548892h 0x0000001f mov eax, dword ptr [eax] 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103C294 second address: 103C2DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3905h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FF158DB391Eh 0x0000000f jmp 00007FF158DB3904h 0x00000014 jmp 00007FF158DB3904h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103C2DB second address: 103C2F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158548893h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103C2F2 second address: 103C2F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103C2F8 second address: 103C312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FF15854888Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103CD44 second address: 103CD48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103CD48 second address: 103CD62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF158548894h 0x0000000c jmp 00007FF15854888Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103CFF2 second address: 103D011 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF158DB38F6h 0x0000000a popad 0x0000000b jmp 00007FF158DB3904h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103D011 second address: 103D02B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FF158548886h 0x0000000f jc 00007FF158548886h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103D02B second address: 103D035 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF158DB38F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103D035 second address: 103D047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FF15854888Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103D047 second address: 103D050 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 103D050 second address: 103D055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10419E7 second address: 10419ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1015B99 second address: 1015B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1015CD6 second address: 1015CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1015CDA second address: 1015CDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1015DD9 second address: 1015DDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1015DDD second address: 1015DE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10163CD second address: 10163FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FF158DB3908h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], esi 0x00000012 xor dword ptr [ebp+122D19ACh], eax 0x00000018 nop 0x00000019 push esi 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10166AA second address: 10166B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10166B1 second address: 10166DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3907h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF158DB38FDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016A77 second address: 1016A7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016A7B second address: 1016A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016A81 second address: 1016A86 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016A86 second address: 1016AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007FF158DB38FFh 0x0000000e pushad 0x0000000f jp 00007FF158DB38F6h 0x00000015 jo 00007FF158DB38F6h 0x0000001b popad 0x0000001c popad 0x0000001d nop 0x0000001e mov dword ptr [ebp+122D2114h], eax 0x00000024 push 0000001Eh 0x00000026 add dword ptr [ebp+122D2216h], edx 0x0000002c push eax 0x0000002d push eax 0x0000002e push edx 0x0000002f push esi 0x00000030 pushad 0x00000031 popad 0x00000032 pop esi 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016C36 second address: 1016C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016C3A second address: 1016C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016DBF second address: 1016DC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016DC5 second address: 1016DEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF158DB3905h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FF158DB38F8h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016DEB second address: 1016E11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548899h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016E11 second address: 1016E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FF4EB5 second address: FF4EC4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007FF158548886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FF4EC4 second address: FF4EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FF4EC9 second address: FF4ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FF158548886h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FCC993 second address: FCC9B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 jnp 00007FF158DB38F6h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jc 00007FF158DB38F6h 0x00000018 jmp 00007FF158DB38FAh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FCC9B5 second address: FCC9C1 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF158548886h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1042285 second address: 1042289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1042289 second address: 10422B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FF158548886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FF1585488A1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10422B6 second address: 10422BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10423E3 second address: 10423E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10423E9 second address: 10423F6 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104257C second address: 1042580 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1042580 second address: 1042595 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1042595 second address: 10425BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FF1585488A4h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1042748 second address: 104274E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C13A second address: 104C140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C140 second address: 104C14E instructions: 0x00000000 rdtsc 0x00000002 js 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C14E second address: 104C16C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF158548892h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C16C second address: 104C18B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FF158DB38F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158DB3900h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C18B second address: 104C19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C19B second address: 104C19F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104C19F second address: 104C1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104AFB4 second address: 104AFBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104B10F second address: 104B15C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FF158548896h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158548896h 0x00000014 jmp 00007FF158548897h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104B15C second address: 104B162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104B162 second address: 104B16D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104B813 second address: 104B818 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104B818 second address: 104B820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104BB02 second address: 104BB23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FF158DB3908h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104BE5F second address: 104BE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 104BE64 second address: 104BE88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF158DB390Fh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051D0E second address: 1051D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007FF158548886h 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051D25 second address: 1051D3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051D3A second address: 1051D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007FF1585488A1h 0x0000000c je 00007FF158548886h 0x00000012 jmp 00007FF158548895h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051D61 second address: 1051D88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF158DB3906h 0x00000008 ja 00007FF158DB38F6h 0x0000000e jl 00007FF158DB38F6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105089E second address: 10508B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FF158548886h 0x0000000a jmp 00007FF15854888Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10508B3 second address: 10508B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1050A08 second address: 1050A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1050E18 second address: 1050E1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1050E1E second address: 1050E2C instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1050E2C second address: 1050E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1050F86 second address: 1050FB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF15854888Dh 0x0000000e jmp 00007FF158548897h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1050FB3 second address: 1050FC0 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051108 second address: 1051112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051112 second address: 1051123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007FF158DB38FCh 0x0000000b js 00007FF158DB38F6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051123 second address: 1051128 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1051128 second address: 105113B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF158DB38F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FF158DB38F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105113B second address: 105113F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105057A second address: 105058A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF158DB38F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105058A second address: 105058F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105058F second address: 10505A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105554C second address: 1055550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105AA3F second address: 105AA46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105AA46 second address: 105AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007FF158548886h 0x0000000c popad 0x0000000d pushad 0x0000000e jnp 00007FF158548886h 0x00000014 jg 00007FF158548886h 0x0000001a jnl 00007FF158548886h 0x00000020 popad 0x00000021 popad 0x00000022 pushad 0x00000023 jns 00007FF158548892h 0x00000029 push edi 0x0000002a jmp 00007FF158548890h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105A36F second address: 105A38D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 jmp 00007FF158DB3902h 0x0000000a js 00007FF158DB38F6h 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105F908 second address: 105F90E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105F90E second address: 105F924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB3901h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105F924 second address: 105F929 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105EE42 second address: 105EE4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105EFCF second address: 105EFD4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105F50E second address: 105F52E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF158DB390Bh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 105F52E second address: 105F534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064BB2 second address: 1064BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF158DB3902h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064BCA second address: 1064BCE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064BCE second address: 1064BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007FF158DB38F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064D69 second address: 1064D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Dh 0x00000009 popad 0x0000000a jmp 00007FF158548896h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064D91 second address: 1064D9D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FF158DB38F6h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064D9D second address: 1064DA3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064EE5 second address: 1064EF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB38FCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064EF7 second address: 1064EFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1064EFB second address: 1064EFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10651B8 second address: 10651BE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10651BE second address: 10651DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1065304 second address: 106530E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF15854888Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1016957 second address: 101698B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov ecx, 3522221Ch 0x00000011 push 00000004h 0x00000013 call 00007FF158DB38FEh 0x00000018 or edx, dword ptr [ebp+122D29B4h] 0x0000001e pop edi 0x0000001f push eax 0x00000020 pushad 0x00000021 pushad 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1066101 second address: 1066105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1066105 second address: 1066126 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007FF158DB3906h 0x0000000e jnp 00007FF158DB38F6h 0x00000014 jmp 00007FF158DB38FAh 0x00000019 push edi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1069498 second address: 106949E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106949E second address: 10694A8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF158DB38F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10694A8 second address: 10694C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF158548897h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10694C5 second address: 10694F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FF158DB3909h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jne 00007FF158DB38F6h 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1068C0F second address: 1068C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158548899h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FF158548897h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1068C4A second address: 1068C52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1068DA0 second address: 1068DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007FF158548886h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1068DAD second address: 1068DB8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 js 00007FF158DB38F6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1068F32 second address: 1068F36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106922A second address: 106922F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1070D12 second address: 1070D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1070D22 second address: 1070D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FF158DB3902h 0x0000000b jmp 00007FF158DB38FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1070D3D second address: 1070D52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158548891h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1070D52 second address: 1070D56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106ED9F second address: 106EDA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106EF40 second address: 106EF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF158DB38F6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106EF4F second address: 106EF73 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jns 00007FF158548886h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF158548894h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106EF73 second address: 106EF79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106F0B6 second address: 106F0C8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007FF158548888h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106F0C8 second address: 106F0D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106F0D0 second address: 106F0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106F8E8 second address: 106F8F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF158DB38F6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106F8F3 second address: 106F8FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106FB75 second address: 106FB7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106FB7F second address: 106FB83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106FB83 second address: 106FB8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF158DB38F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106FEAB second address: 106FEAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 106FEAF second address: 106FEB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1073E0C second address: 1073E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1073E13 second address: 1073E18 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1077DAA second address: 1077DC4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF158548894h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10781F0 second address: 10781F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10781F6 second address: 10781FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10781FA second address: 1078206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1078397 second address: 10783A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1086C0D second address: 1086C11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10873C9 second address: 10873D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10873D3 second address: 10873D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10873D9 second address: 10873DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10873DE second address: 10873E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10873E7 second address: 10873EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10873EB second address: 10873F1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1088475 second address: 1088479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1088479 second address: 108847D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1086327 second address: 1086331 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 108E1BF second address: 108E1C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 108E1C5 second address: 108E1E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jnp 00007FF15854889Fh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 108E1E9 second address: 108E1F8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF158DB38F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 108DD48 second address: 108DD69 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FF15854888Ah 0x00000008 pushad 0x00000009 jmp 00007FF158548892h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 108DEB5 second address: 108DEBA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 108DEBA second address: 108DEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007FF158548886h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jmp 00007FF15854888Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007FF158548886h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 109CEC9 second address: 109CECE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 109E966 second address: 109E96A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 109E96A second address: 109E9AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FF158DB3905h 0x0000000c pop ecx 0x0000000d jmp 00007FF158DB38FFh 0x00000012 pushad 0x00000013 jmp 00007FF158DB3902h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 109E7BD second address: 109E7C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 109E7C3 second address: 109E7E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB38FDh 0x00000009 popad 0x0000000a jmp 00007FF158DB38FFh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10A1CCA second address: 10A1CEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jp 00007FF1585488A0h 0x0000000b jmp 00007FF158548894h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10A785F second address: 10A7865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10A7865 second address: 10A7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jno 00007FF158548886h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10A7873 second address: 10A7891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158DB3903h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10A7891 second address: 10A78A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF15854888Eh 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FCE3F2 second address: FCE3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FF158DB38F6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10BAB3B second address: 10BAB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FF15854888Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B941E second address: 10B943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF158DB3907h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B943C second address: 10B9440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B9440 second address: 10B944C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF158DB38F6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B944C second address: 10B9474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF158548886h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push edi 0x0000000c pop edi 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007FF158548897h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B9474 second address: 10B9480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF158DB38F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B95BD second address: 10B95C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF158548886h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10B9DAD second address: 10B9DBD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007FF158DB38F6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10BA89A second address: 10BA89F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10BE376 second address: 10BE387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB38FBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: FCFE66 second address: FCFEA9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop esi 0x00000006 jmp 00007FF158548897h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FF158548891h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FF158548890h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1A1F second address: 10E1A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF158DB38F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e jne 00007FF158DB38F6h 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1A34 second address: 10E1A39 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1A39 second address: 10E1A63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB3907h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FF158DB38F6h 0x00000012 je 00007FF158DB38F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1A63 second address: 10E1A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF15854888Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1732 second address: 10E1736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1736 second address: 10E173A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E173A second address: 10E1740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E1740 second address: 10E174B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 10E174B second address: 10E1750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1104CFD second address: 1104D03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1104D03 second address: 1104D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110555E second address: 1105564 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1105564 second address: 1105568 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1105842 second address: 1105846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1105846 second address: 110584A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110584A second address: 1105850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1105850 second address: 1105856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11071D1 second address: 11071D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11071D7 second address: 11071DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11071DD second address: 11071EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF158548886h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11071EC second address: 11071F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11071F0 second address: 11071F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 1108871 second address: 1108885 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF158DB38FEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110A05F second address: 110A065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110A065 second address: 110A069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110A069 second address: 110A06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110A06F second address: 110A09A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FF158DB38F8h 0x0000000c jmp 00007FF158DB3907h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110A09A second address: 110A0BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF15854888Ch 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jmp 00007FF15854888Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110CD7C second address: 110CD80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110CD80 second address: 110CD8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110CD8A second address: 110CDC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FF158DB38FCh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a pop esi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110CDC0 second address: 110CDC6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110D03F second address: 110D043 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110D043 second address: 110D047 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110D047 second address: 110D090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF158DB38FCh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 sbb edx, 3ACF01A2h 0x00000016 mov edx, dword ptr [ebp+122D3B14h] 0x0000001c push dword ptr [ebp+122D380Eh] 0x00000022 sbb dl, FFFFFF92h 0x00000025 push 7675B700h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FF158DB3905h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110D090 second address: 110D0A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110D0A5 second address: 110D0AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110EA60 second address: 110EA65 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110EA65 second address: 110EA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110EA6D second address: 110EA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110E5F1 second address: 110E5FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF158DB38F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110E5FB second address: 110E610 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110E610 second address: 110E634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a jnc 00007FF158DB38F6h 0x00000010 jmp 00007FF158DB38FFh 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110E634 second address: 110E63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110E63A second address: 110E63E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 110E63E second address: 110E65E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548896h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11105BE second address: 11105C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 11105C2 second address: 11105CC instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF158548886h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57F06A9 second address: 57F06DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dl 0x00000005 jmp 00007FF158DB3900h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF158DB3907h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57F06DB second address: 57F06FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 59447571h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edi, 6A7C5130h 0x00000012 mov bx, 505Ch 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movzx esi, bx 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57F06FA second address: 57F071A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3905h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57F071A second address: 57F071E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57F071E second address: 57F0732 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, 8ABBh 0x0000000a popad 0x0000000b pop ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov eax, 1D0F5F69h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0E82 second address: 57B0E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0E92 second address: 57B0EAA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158DB38FDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0EAA second address: 57B0ED6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF15854888Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0ED6 second address: 57B0EDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0EDA second address: 57B0EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0EDE second address: 57B0EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0EE4 second address: 57B0EF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830621 second address: 5830638 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3903h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0B73 second address: 57B0B90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cl, bl 0x0000000f call 00007FF15854888Ch 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0B90 second address: 57B0BC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3900h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 movsx ebx, cx 0x00000013 popad 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF158DB3900h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0BC9 second address: 57B0BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0BCF second address: 57B0BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0BD5 second address: 57B0BD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57B0BD9 second address: 57B0C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF158DB3908h 0x00000012 adc eax, 157B9B88h 0x00000018 jmp 00007FF158DB38FBh 0x0000001d popfd 0x0000001e jmp 00007FF158DB3908h 0x00000023 popad 0x00000024 push dword ptr [ebp+0Ch] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF158DB3907h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58303E5 second address: 5830401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF158548897h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830401 second address: 5830442 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FF158DB3904h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF158DB38FCh 0x00000017 xor eax, 65816078h 0x0000001d jmp 00007FF158DB38FBh 0x00000022 popfd 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830442 second address: 5830447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830447 second address: 583044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 583044C second address: 583045A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 583045A second address: 583045E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 583045E second address: 5830477 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548895h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800BAB second address: 5800BBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58503EF second address: 5850413 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov bl, C8h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov ax, C641h 0x00000010 mov cl, 85h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF15854888Bh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5850413 second address: 5850417 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5850417 second address: 585041D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830DCB second address: 5830DD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830DD0 second address: 5830DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830DD6 second address: 5830E05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF158DB38FDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E05 second address: 5830E0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E0B second address: 5830E0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E0F second address: 5830E13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E13 second address: 5830E23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c movsx edx, ax 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E23 second address: 5830E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF158548896h 0x00000008 pushfd 0x00000009 jmp 00007FF158548892h 0x0000000e jmp 00007FF158548895h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E6F second address: 5830E75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830E75 second address: 5830EA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548892h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FF158548890h 0x00000010 pop ebp 0x00000011 pushad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57C0455 second address: 57C0459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57C0459 second address: 57C045D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57C045D second address: 57C0463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 57C0463 second address: 57C04BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548899h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF15854888Eh 0x0000000f mov ebp, esp 0x00000011 jmp 00007FF158548890h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF158548897h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830500 second address: 583051C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3908h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830B2B second address: 5830B2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830B2F second address: 5830B35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830B35 second address: 5830C23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158548890h 0x00000009 xor esi, 26760748h 0x0000000f jmp 00007FF15854888Bh 0x00000014 popfd 0x00000015 mov esi, 7DC70EBFh 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FF158548897h 0x00000025 or al, 0000003Eh 0x00000028 jmp 00007FF158548899h 0x0000002d popfd 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 call 00007FF158548897h 0x00000036 pushfd 0x00000037 jmp 00007FF158548898h 0x0000003c add eax, 33CE3198h 0x00000042 jmp 00007FF15854888Bh 0x00000047 popfd 0x00000048 pop ecx 0x00000049 pushfd 0x0000004a jmp 00007FF158548899h 0x0000004f add eax, 6956FF36h 0x00000055 jmp 00007FF158548891h 0x0000005a popfd 0x0000005b popad 0x0000005c xchg eax, ebp 0x0000005d push eax 0x0000005e push edx 0x0000005f jmp 00007FF15854888Dh 0x00000064 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830C23 second address: 5830C48 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c movsx edx, si 0x0000000f popad 0x00000010 mov eax, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830C48 second address: 5830C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830C4C second address: 5830C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830C50 second address: 5830C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830C56 second address: 5830C5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830C5C second address: 5830C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800A6F second address: 5800AA2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3901h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158DB3908h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800AA2 second address: 5800AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800AB1 second address: 5800AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800AB7 second address: 5800ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800ABB second address: 5800ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800ABF second address: 5800ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800ACE second address: 5800AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800AD2 second address: 5800AEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830F66 second address: 5830FA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d mov al, 3Ch 0x0000000f popad 0x00000010 mov dword ptr [esp], ebp 0x00000013 jmp 00007FF158DB3902h 0x00000018 mov ebp, esp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF158DB3907h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830FA6 second address: 5830FAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, 37h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840B54 second address: 5840B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840B5A second address: 5840B5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840B5E second address: 5840B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158DB3905h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840B7E second address: 5840B8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840B8E second address: 5840B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840B92 second address: 5840BF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF158548897h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov dx, si 0x00000014 pushfd 0x00000015 jmp 00007FF158548890h 0x0000001a xor esi, 0A8AB7B8h 0x00000020 jmp 00007FF15854888Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jmp 00007FF15854888Bh 0x00000030 mov esi, 08D486DFh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840BF1 second address: 5840C8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 5256h 0x00000007 mov bx, 3DE2h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 movzx ecx, bx 0x00000014 pushfd 0x00000015 jmp 00007FF158DB3901h 0x0000001a xor cx, B3B6h 0x0000001f jmp 00007FF158DB3901h 0x00000024 popfd 0x00000025 popad 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 jmp 00007FF158DB38FDh 0x0000002d mov eax, dword ptr [76FB65FCh] 0x00000032 jmp 00007FF158DB38FEh 0x00000037 test eax, eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c mov bx, 4E20h 0x00000040 pushfd 0x00000041 jmp 00007FF158DB3909h 0x00000046 and cx, F926h 0x0000004b jmp 00007FF158DB3901h 0x00000050 popfd 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840C8C second address: 5840CB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1C9C3B54Bh 0x0000000f pushad 0x00000010 jmp 00007FF15854888Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840CB8 second address: 5840CD7 instructions: 0x00000000 rdtsc 0x00000002 mov cx, C8D3h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ecx, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF158DB3900h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840CD7 second address: 5840CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840CDB second address: 5840CE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840CE1 second address: 5840D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, al 0x00000005 jmp 00007FF158548899h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor eax, dword ptr [ebp+08h] 0x00000010 jmp 00007FF158548897h 0x00000015 and ecx, 1Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007FF15854888Bh 0x00000020 pop esi 0x00000021 pushad 0x00000022 popad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840D31 second address: 5840D75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b jmp 00007FF158DB3900h 0x00000010 leave 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FF158DB3907h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840D75 second address: 5840D7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5840D7B second address: 5840D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 584014F second address: 584016B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2D30DE34h 0x00000008 mov cx, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, 316D45F7h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800008 second address: 580000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580000C second address: 580001F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580001F second address: 5800024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800024 second address: 5800044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, di 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF158548893h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800044 second address: 580005C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB3904h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580005C second address: 5800060 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800060 second address: 580008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FF158DB3907h 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580008A second address: 58000A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548897h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58000A5 second address: 580011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158DB38FFh 0x00000009 xor ch, 0000006Eh 0x0000000c jmp 00007FF158DB3909h 0x00000011 popfd 0x00000012 call 00007FF158DB3900h 0x00000017 pop esi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b and esp, FFFFFFF8h 0x0000001e jmp 00007FF158DB3901h 0x00000023 xchg eax, ecx 0x00000024 jmp 00007FF158DB38FEh 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FF158DB38FEh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580011D second address: 580012F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF15854888Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580012F second address: 580013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580013E second address: 5800156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800156 second address: 580015B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580015B second address: 5800186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a pushad 0x0000000b mov bx, cx 0x0000000e mov cx, 9411h 0x00000012 popad 0x00000013 mov dword ptr [esp], ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF158548893h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800186 second address: 580018C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580018C second address: 5800190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800190 second address: 5800194 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800194 second address: 58001A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58001A5 second address: 58001A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58001A9 second address: 58001AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58001AF second address: 58001B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58001B5 second address: 58001B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58001B9 second address: 58001FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a call 00007FF158DB3904h 0x0000000f jmp 00007FF158DB3902h 0x00000014 pop ecx 0x00000015 push ebx 0x00000016 push ecx 0x00000017 pop ebx 0x00000018 pop esi 0x00000019 popad 0x0000001a mov dword ptr [esp], esi 0x0000001d pushad 0x0000001e mov edx, 15F6BE7Ah 0x00000023 push eax 0x00000024 push edx 0x00000025 mov bx, D734h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58001FE second address: 5800265 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 372F32A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov esi, dword ptr [ebp+08h] 0x0000000d pushad 0x0000000e call 00007FF158548895h 0x00000013 mov esi, 051D57E7h 0x00000018 pop eax 0x00000019 mov bl, 81h 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d jmp 00007FF158548894h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FF15854888Ch 0x0000002c add eax, 1B2ADA78h 0x00000032 jmp 00007FF15854888Bh 0x00000037 popfd 0x00000038 mov ah, CDh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800265 second address: 58002B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3902h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF158DB38FDh 0x00000013 or ah, FFFFFFC6h 0x00000016 jmp 00007FF158DB3901h 0x0000001b popfd 0x0000001c jmp 00007FF158DB3900h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58002B3 second address: 580031B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158548891h 0x00000009 add ah, FFFFFFD6h 0x0000000c jmp 00007FF158548891h 0x00000011 popfd 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 test esi, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007FF15854888Fh 0x00000022 xor eax, 45FC070Eh 0x00000028 jmp 00007FF158548899h 0x0000002d popfd 0x0000002e movzx ecx, di 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580031B second address: 5800335 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FF1CA4E1BE2h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5800335 second address: 580033B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580033B second address: 580039E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3904h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FF158DB3900h 0x00000015 je 00007FF1CA4E1BB7h 0x0000001b jmp 00007FF158DB3900h 0x00000020 mov edx, dword ptr [esi+44h] 0x00000023 jmp 00007FF158DB3900h 0x00000028 or edx, dword ptr [ebp+0Ch] 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e mov bl, F3h 0x00000030 mov bh, al 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 580039E second address: 58003E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF15854888Eh 0x00000008 mov esi, 0173D731h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test edx, 61000000h 0x00000016 pushad 0x00000017 mov ax, 3B69h 0x0000001b push eax 0x0000001c mov ch, bh 0x0000001e pop esi 0x0000001f popad 0x00000020 jne 00007FF1C9C76B47h 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF158548898h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58003E7 second address: 5800422 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d pushad 0x0000000e call 00007FF158DB3904h 0x00000013 mov ebx, eax 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 call 00007FF158DB38FDh 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810113 second address: 5810134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 6B144C7Ah 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF158548893h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810134 second address: 5810167 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB3909h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FF158DB38FEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810167 second address: 581016B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581016B second address: 581016F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581016F second address: 5810175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810175 second address: 581017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581017B second address: 581017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581017F second address: 58101A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a pushad 0x0000000b mov edx, 5F0773BCh 0x00000010 mov bl, 0Fh 0x00000012 popad 0x00000013 pushad 0x00000014 push esi 0x00000015 pop edx 0x00000016 mov edx, eax 0x00000018 popad 0x00000019 popad 0x0000001a mov esi, dword ptr [ebp+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58101A1 second address: 58101A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58101A9 second address: 58101C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158DB3905h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58101C2 second address: 58101E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548891h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58101E1 second address: 58101E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58101E5 second address: 58101EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58101EB second address: 5810291 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158DB3901h 0x00000009 adc si, 1E86h 0x0000000e jmp 00007FF158DB3901h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF158DB3900h 0x0000001a and cx, F928h 0x0000001f jmp 00007FF158DB38FBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 test esi, esi 0x0000002a jmp 00007FF158DB3906h 0x0000002f je 00007FF1CA4C9A30h 0x00000035 pushad 0x00000036 movzx eax, dx 0x00000039 pushad 0x0000003a pushad 0x0000003b popad 0x0000003c call 00007FF158DB38FFh 0x00000041 pop eax 0x00000042 popad 0x00000043 popad 0x00000044 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000004b jmp 00007FF158DB38FFh 0x00000050 mov ecx, esi 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 push edx 0x00000056 pushad 0x00000057 popad 0x00000058 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810291 second address: 5810295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810295 second address: 581029B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581029B second address: 58102A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58102A1 second address: 58102A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58102A5 second address: 581032F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158548894h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007FF1C9C5E96Ah 0x00000011 jmp 00007FF158548890h 0x00000016 test byte ptr [76FB6968h], 00000002h 0x0000001d jmp 00007FF158548890h 0x00000022 jne 00007FF1C9C5E950h 0x00000028 jmp 00007FF158548890h 0x0000002d mov edx, dword ptr [ebp+0Ch] 0x00000030 jmp 00007FF158548890h 0x00000035 xchg eax, ebx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF158548897h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581032F second address: 5810383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FF158DB38FCh 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FF158DB3900h 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF158DB38FDh 0x00000020 xor cl, FFFFFFE6h 0x00000023 jmp 00007FF158DB3901h 0x00000028 popfd 0x00000029 mov cx, 2117h 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810383 second address: 581039B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF15854888Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d movsx edi, cx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581039B second address: 5810406 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 512A7B15h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FF158DB3902h 0x0000000f or ecx, 469AE0E8h 0x00000015 jmp 00007FF158DB38FBh 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FF158DB38FBh 0x00000024 sbb esi, 0824482Eh 0x0000002a jmp 00007FF158DB3909h 0x0000002f popfd 0x00000030 popad 0x00000031 push dword ptr [ebp+14h] 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov dx, 758Eh 0x0000003b mov ecx, edi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810406 second address: 581040C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581040C second address: 5810410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810410 second address: 5810429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+10h] 0x0000000b pushad 0x0000000c call 00007FF15854888Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810450 second address: 5810454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810454 second address: 581045A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581045A second address: 581046C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581046C second address: 5810470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810470 second address: 5810474 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810474 second address: 581047A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871A13 second address: 5871A72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF158DB3907h 0x00000009 sub ecx, 01BA8E1Eh 0x0000000f jmp 00007FF158DB3909h 0x00000014 popfd 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f call 00007FF158DB3905h 0x00000024 pop esi 0x00000025 movsx edi, ax 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871A72 second address: 5871A78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871A78 second address: 5871A7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871A7C second address: 5871ADA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FF158548891h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov esi, 2A431743h 0x00000018 movzx esi, di 0x0000001b popad 0x0000001c push 0000007Fh 0x0000001e jmp 00007FF15854888Bh 0x00000023 push 00000001h 0x00000025 jmp 00007FF158548896h 0x0000002a push dword ptr [ebp+08h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FF15854888Ah 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871ADA second address: 5871ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871ADE second address: 5871AE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5871AE4 second address: 5871AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5830764 second address: 583077C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF158548894h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 583077C second address: 58307BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF158DB3909h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007FF158DB38FEh 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58307BE second address: 58307C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58307C2 second address: 58307C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58106B2 second address: 58106B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58106B8 second address: 58106DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FF158DB3904h 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58106DB second address: 58106DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58106DF second address: 581070D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF158DB38FDh 0x00000008 or ax, 3FD6h 0x0000000d jmp 00007FF158DB3901h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 mov di, ax 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581070D second address: 5810728 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF158548890h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810728 second address: 581075F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 8BD4h 0x00000007 pushfd 0x00000008 jmp 00007FF158DB38FDh 0x0000000d xor ax, B296h 0x00000012 jmp 00007FF158DB3901h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 581075F second address: 5810763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810763 second address: 5810776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF158DB38FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 5810776 second address: 58107A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 call 00007FF158548890h 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF158548893h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58107A8 second address: 58107AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	RDTSC instruction interceptor: First address: 58901C9 second address: 58901D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Special instruction interceptor: First address: E5FCA3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Special instruction interceptor: First address: 102AC0D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Special instruction interceptor: First address: 1015D50 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Special instruction interceptor: First address: 1090E94 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: B5FCA3 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: D2AC0D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: D15D50 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: D90E94 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 3FFCA3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 5CAC0D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 5B5D50 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 630E94 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Code function: 0_2_058809E9 rdtsc

0_2_058809E9

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window / User API: threadDelayed 1063	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window / User API: threadDelayed 1087	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Window / User API: threadDelayed 1456	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1177	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1173	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 781	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1238	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1122	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 729	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1242	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1100	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1579	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2054	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3808	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3808	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3636	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3636	Thread sleep time: -86043s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 7148	Thread sleep count: 80 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 7148	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 7340	Thread sleep count: 234 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 5344	Thread sleep count: 1063 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 5344	Thread sleep time: -2127063s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 2676	Thread sleep count: 1087 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 2676	Thread sleep time: -2175087s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3992	Thread sleep count: 1456 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe TID: 3992	Thread sleep time: -2913456s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7412	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7412	Thread sleep time: -192096s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7384	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7384	Thread sleep time: -210105s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352	Thread sleep count: 1177 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352	Thread sleep time: -118877s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620	Thread sleep count: 1173 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620	Thread sleep count: 781 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7620	Thread sleep time: -78100s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7388	Thread sleep count: 102 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7388	Thread sleep time: -204102s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7396	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7396	Thread sleep time: -174087s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484	Thread sleep time: -156078s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480	Thread sleep count: 123 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480	Thread sleep time: -246123s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7360	Thread sleep count: 1238 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7360	Thread sleep time: -125038s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616	Thread sleep count: 1122 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616	Thread sleep count: 729 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7616	Thread sleep time: -72900s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7492	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7492	Thread sleep time: -202101s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508	Thread sleep count: 108 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508	Thread sleep time: -216108s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7504	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7504	Thread sleep time: -244122s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7496	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7496	Thread sleep time: -274137s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488	Thread sleep count: 124 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488	Thread sleep time: -248124s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7692	Thread sleep time: -42021s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7680	Thread sleep count: 1242 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7680	Thread sleep time: -2485242s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7648	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7648	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7844	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7688	Thread sleep count: 1100 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7688	Thread sleep time: -2201100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072	Thread sleep time: -64032s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8044	Thread sleep count: 1579 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8044	Thread sleep time: -3159579s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8156	Thread sleep count: 232 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8052	Thread sleep count: 2054 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8052	Thread sleep time: -4110054s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8048	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8048	Thread sleep time: -112056s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000005.00000002.4147850074.00000000011E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}GT:/
Source: RageMP131.exe, 0000000B.00000002.4148456840.00000000009FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}H
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000F9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8C381D4C
Source: RageMP131.exe, 0000000B.00000003.1948086057.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000& T:H
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.0000000001869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~
Source: MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:R
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: MPGPH131.exe, 00000006.00000002.4147764213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_8C381D4C
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&c
Source: RageMP131.exe, 0000000B.00000003.1948086057.0000000000F91000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}x
Source: LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.0000000001854000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4147850074.00000000011E2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4148390163.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000007.00000002.4148390163.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000gz

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_058900F1 Start: 05890149 End: 0589014D	0_2_058900F1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_05060337 Start: 050604A3 End: 05060346	5_2_05060337
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_05060277 Start: 050604A3 End: 05060340	5_2_05060277
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0506027E Start: 050604A3 End: 05060340	5_2_0506027E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_050602AA Start: 050604A3 End: 05060340	5_2_050602AA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_050602BD Start: 050604A3 End: 05060340	5_2_050602BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_050602C3 Start: 050604A3 End: 05060340	5_2_050602C3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_05060AC3 Start: 05060B17 End: 05060AE6	5_2_05060AC3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_050E0A5D Start: 050E0BAB End: 050E0B5E	7_2_050E0A5D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_050E0ED2 Start: 050E0F55 End: 050E0E9D	7_2_050E0ED2

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Code function: 0_2_058809E9 rdtsc

0_2_058809E9

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D83A40 mov eax, dword ptr fs:[00000030h]	0_2_00D83A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D83A40 mov eax, dword ptr fs:[00000030h]	0_2_00D83A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Code function: 0_2_00D34100 mov eax, dword ptr fs:[00000030h]	0_2_00D34100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A83A40 mov eax, dword ptr fs:[00000030h]	5_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A83A40 mov eax, dword ptr fs:[00000030h]	5_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00A34100 mov eax, dword ptr fs:[00000030h]	5_2_00A34100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A83A40 mov eax, dword ptr fs:[00000030h]	6_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A83A40 mov eax, dword ptr fs:[00000030h]	6_2_00A83A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00A34100 mov eax, dword ptr fs:[00000030h]	6_2_00A34100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00323A40 mov eax, dword ptr fs:[00000030h]	7_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00323A40 mov eax, dword ptr fs:[00000030h]	7_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002D4100 mov eax, dword ptr fs:[00000030h]	7_2_002D4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00323A40 mov eax, dword ptr fs:[00000030h]	11_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00323A40 mov eax, dword ptr fs:[00000030h]	11_2_00323A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_002D4100 mov eax, dword ptr fs:[00000030h]	11_2_002D4100

Source: LisectAVT_2403002A_140.exe, LisectAVT_2403002A_140.exe, 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: 8Program Manager

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Code function: 0_2_00DFF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00DFF26A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_140.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_140.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_140.exe PID: 5440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7356, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_140.exe	100%	Avira	TR/Redcap.dchmo
LisectAVT_2403002A_140.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	TR/Redcap.dchmo
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	TR/Redcap.dchmo
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTR	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT;	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002A_140.exe, 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_140.exe, 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	LisectAVT_2403002A_140.exe, 00000000.00000002.4147804202.000000000181E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4147850074.00000000011AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4147764213.000000000169B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4148390163.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTR	RageMP131.exe, 0000000B.00000002.4148938152.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT;	RageMP131.exe, 00000007.00000002.4148390163.0000000000F5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.74	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482502
Start date and time:	2024-07-25 23:53:17 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_140.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_140.exe

Simulations

Behavior and APIs

Time	Type	Description
17:54:39	API Interceptor	3588580x Sleep call for process: LisectAVT_2403002A_140.exe modified
17:54:46	API Interceptor	5531x Sleep call for process: MPGPH131.exe modified
17:54:54	API Interceptor	4822923x Sleep call for process: RageMP131.exe modified
22:54:15	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
22:54:15	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
22:54:15	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
22:54:23	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.233.132.74	LisectAVT_2403002A_163.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002A_185.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002A_218.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002A_228.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002A_376.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002B_242.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	LisectAVT_2403002A_151.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_163.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002A_185.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002A_191.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_218.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002A_228.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002A_30.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002A_33.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002A_376.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002A_389.exe	Get hash	malicious	Amadey	Browse	193.233.132.56

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_140.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2334728
Entropy (8bit):	7.966376181541748
Encrypted:	false
SSDEEP:	49152:t/pAjCpBAG643phrM/A09sRK0cFCo8e6Sy:TqYAGH3p9j09sQ0Jfe6
MD5:	8623F3410C6571A3880ED83C11197518
SHA1:	35396E27D5528A5C4740A93BE024EC11DB698DF2
SHA-256:	421F1F9E96FC1D6D553FA47A0AE79C23751471A02174524465EFF1F6EC1FE897
SHA-512:	A9368B3E1C82538C226AD065522E005D5451787C37997E3089FB226C4F00180FE4B6C3338B6FB35769494565313C5C5542903633722300B64992A4006FE74313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L....b.e...............".....0....... Z...........@..........................0Z.....g.#...@.........................0.Y.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... ..+..........$..............@...yxaifgwn......?..v...&..............@...yvccconk..... Z.......#.............@...........................................................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_140.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_140.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2334728
Entropy (8bit):	7.966376181541748
Encrypted:	false
SSDEEP:	49152:t/pAjCpBAG643phrM/A09sRK0cFCo8e6Sy:TqYAGH3p9j09sQ0Jfe6
MD5:	8623F3410C6571A3880ED83C11197518
SHA1:	35396E27D5528A5C4740A93BE024EC11DB698DF2
SHA-256:	421F1F9E96FC1D6D553FA47A0AE79C23751471A02174524465EFF1F6EC1FE897
SHA-512:	A9368B3E1C82538C226AD065522E005D5451787C37997E3089FB226C4F00180FE4B6C3338B6FB35769494565313C5C5542903633722300B64992A4006FE74313
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L....b.e...............".....0....... Z...........@..........................0Z.....g.#...@.........................0.Y.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... ..+..........$..............@...yxaifgwn......?..v...&..............@...yvccconk..... Z.......#.............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_140.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_140.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.873140679513133
Encrypted:	false
SSDEEP:	3:LEETn:zT
MD5:	B50442C98D106BE58D1663C299789DB2
SHA1:	E0077AC9BAFC704110814BDE11E8E6A4775D5EB6
SHA-256:	2B3C17182F301EA1DFBE2FE423C3142A1C508C6FDBA24A98091BB0BA568175E8
SHA-512:	87C8C02F8A1B7B54C5540FDC6D11DB9323304F839FCA567C27E25156EDA18BC7050A4B4EFD50F282C1DFA96F1020AD752A3AAE236B0A5E0B0106C8FD3954B147
Malicious:	false
Preview:	1721950856886

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.966376181541748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_140.exe
File size:	2'334'728 bytes
MD5:	8623f3410c6571a3880ed83c11197518
SHA1:	35396e27d5528a5c4740a93be024ec11db698df2
SHA256:	421f1f9e96fc1d6d553fa47a0ae79c23751471a02174524465eff1f6ec1fe897
SHA512:	a9368b3e1c82538c226ad065522e005d5451787c37997e3089fb226c4f00180fe4b6c3338b6fb35769494565313c5c5542903633722300b64992a4006fe74313
SSDEEP:	49152:t/pAjCpBAG643phrM/A09sRK0cFCo8e6Sy:TqYAGH3p9j09sQ0Jfe6
TLSH:	71B53382795C6790DC0EAB71DABCA1DC3D9BF31E5BB82C6DA5693C5F3E222740801467
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

File Icon


Icon Hash:	c769eccc64f6e2bb

Static PE Info

General

Entrypoint:	0x9a2000
Entrypoint Section:	yvccconk
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FD62AE [Fri Mar 22 10:51:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
push eax
mov dword ptr [esp], 7F4E0ED2h
not dword ptr [esp]
sub dword ptr [esp], 7C02F154h
mov dword ptr [esp], esi
push ebp
mov dword ptr [esp], 745DEF78h
xor dword ptr [esp], 52F5A078h
mov dword ptr [esp], eax
push ecx
mov ecx, esp
add ecx, 00000004h
sub ecx, 00000004h
xchg dword ptr [esp], ecx
pop esp
mov dword ptr [esp], esi
mov dword ptr [esp], ebx
call 00007FF158BB0AB6h
int3
push dword ptr [esp]
pop eax
push edx
mov edx, esp
add edx, 00000004h
add edx, 04h
xchg dword ptr [esp], edx
pop esp
push edx
mov edx, eax
mov ebx, edx
mov edx, dword ptr [esp]
push ebp
mov ebp, esp
add ebp, 00000004h
add ebp, 00000004h
xchg dword ptr [esp], ebp
pop esp
push ebp
mov ebp, 00000001h
sub eax, 62FFEA20h
add eax, ebp
add eax, 62FFEA20h
pop ebp
push ebp
mov ebp, 36BF3EF6h
neg ebp
push ebx
push edi
mov edi, 3FEF544Bh
mov ebx, edi
pop edi
sub ebx, 76C91341h
sub ebp, ebx
pop ebx
sub eax, ebp
pop ebp
sub eax, 0DB80046h
add eax, 0DB80000h
cmp byte ptr [ebx], FFFFFFCCh
jne 00007FF158BB0B6Ch
push cx
push eax
mov al, C0h
xor al, C0h
mov cl, al
mov eax, dword ptr [esp]
add esp, 04h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x59ea30	0x4c	yxaifgwn
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13b055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x2b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13b1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x137000	0x90600	ccdb1c68a806b4286b3d2f1754811337	False	0.9993574134199135	data	7.988366600079935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x138000	0x2b58	0xc00	b6c920f672f0968d7c7b62c98be363ee	False	0.8411458333333334	data	7.038805106731529	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x13b000	0x1000	0x200	745dea56938759dccaf9e183aa01b020	False	0.146484375	data	0.998472215956371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x13c000	0x2be000	0x200	048889c5c479b7d141032a3d5b505e7d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yxaifgwn	0x3fa000	0x1a8000	0x1a7600	9a8fdffaf144ffe129f67595edde6ea2	False	0.9896825177147919	data	7.949631188388849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
yvccconk	0x5a2000	0x1000	0x400	d3887e5bf3782a2b3fb5387fcefacd8d	False	0.76953125	data	6.081397255693401	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x59ea7c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Russian	Russia	0.1892116182572614
RT_GROUP_ICON	0x5a1024	0x14	data	Russian	Russia	1.15
RT_VERSION	0x5a1038	0x2e4	data	Russian	Russia	0.4689189189189189
RT_MANIFEST	0x5a131c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Exports

Name	Ordinal	Address
Start	1	0x466e80

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T23:54:39.250102+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49740	58709	192.168.2.4	193.233.132.74
2024-07-25T23:54:23.985535+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49731	58709	192.168.2.4	193.233.132.74
2024-07-25T23:55:09.658050+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49741	40.127.169.103	192.168.2.4
2024-07-25T23:54:15.323291+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49730	58709	192.168.2.4	193.233.132.74
2024-07-25T23:54:23.985696+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49732	58709	192.168.2.4	193.233.132.74
2024-07-25T23:54:32.109492+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49734	58709	192.168.2.4	193.233.132.74
2024-07-25T23:54:18.312575+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49730	58709	192.168.2.4	193.233.132.74
2024-07-25T23:54:21.006750+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49732	58709	192.168.2.4	193.233.132.74
2024-07-25T23:54:30.562029+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49733	13.85.23.86	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 23:54:15.293045998 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:15.298260927 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:15.298382998 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:15.323291063 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:15.328327894 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:18.312575102 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:18.317487955 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:20.974889040 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:20.975426912 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:20.981484890 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:20.981583118 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:20.981597900 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:20.981637001 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:20.997016907 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:21.002434969 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:21.006750107 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:21.013775110 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:23.985534906 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:23.985696077 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:23.993334055 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:23.993349075 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:29.092905998 CEST	49734	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:29.099237919 CEST	58709	49734	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:29.099322081 CEST	49734	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:29.124592066 CEST	49734	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:29.129951954 CEST	58709	49734	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:32.109492064 CEST	49734	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:32.114447117 CEST	58709	49734	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:36.241236925 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:36.246253014 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:36.246329069 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:36.266952038 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:36.271994114 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:36.698096037 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:36.698204994 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:39.250102043 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:39.255590916 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:42.385385990 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:42.385523081 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:42.385855913 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:42.386020899 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:50.477514982 CEST	58709	49734	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:50.477631092 CEST	49734	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 23:54:57.631915092 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 23:54:57.632024050 CEST	49740	58709	192.168.2.4	193.233.132.74

Target ID:	0
Start time:	17:54:08
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_140.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_140.exe"
Imagebase:	0xd20000
File size:	2'334'728 bytes
MD5 hash:	8623F3410C6571A3880ED83C11197518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1709813394.00000000055E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	17:54:13
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xf20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:54:13
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:54:13
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xf20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:54:13
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:54:15
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xa20000
File size:	2'334'728 bytes
MD5 hash:	8623F3410C6571A3880ED83C11197518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1776201948.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	17:54:15
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xa20000
File size:	2'334'728 bytes
MD5 hash:	8623F3410C6571A3880ED83C11197518
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1776987778.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	17:54:23
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x2c0000
File size:	2'334'728 bytes
MD5 hash:	8623F3410C6571A3880ED83C11197518
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.1856862638.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	17:54:32
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x2c0000
File size:	2'334'728 bytes
MD5 hash:	8623F3410C6571A3880ED83C11197518
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.1935348315.0000000004B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	4.6%
Signature Coverage:	2.5%
Total number of Nodes:	636
Total number of Limit Nodes:	62

Executed Functions

Function 00D3E0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00D3E0CB
socket.WS2_32(?,?,?), ref: 00D3E17F
connect.WS2_32(00000000,?,?), ref: 00D3E193
closesocket.WS2_32(00000000), ref: 00D3E19E

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 394f20c536806130a6fadbd0fccbae766e8e27aab35baf1deba6771a1394d338
Instruction ID: 095f5a75bd7a0d14035f2a7bd9942ba65b5f626481a9714c8d102b9d393684ba
Opcode Fuzzy Hash: 394f20c536806130a6fadbd0fccbae766e8e27aab35baf1deba6771a1394d338
Instruction Fuzzy Hash: 0931B072605310ABE7209F25984872BB7E4EB85734F044F1DF9A8A62D0D37599048BB2

Function 058809E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: 3aa9c0baf16368726e46133faea51a4a0ba3837fc36b9bffbfbb38d11a126152
Instruction ID: 492cf1583ce72eab778f7ac3cd4b8805e9fc666935f4eca0346b182e0e538ae5
Opcode Fuzzy Hash: 3aa9c0baf16368726e46133faea51a4a0ba3837fc36b9bffbfbb38d11a126152
Instruction Fuzzy Hash: B5419DEB20D11CFDB212E9812B58EF6666FE6C67387308462FC07D6606E6944F8D5131

Function 00D83A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00D83DB6), ref: 00D83B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00D83DB6), ref: 00D83BBA

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3560a8804f834f023d5013b3b9b0bd052bcc1f975fe879a406547539e623c809
Instruction ID: 8cf49d33870c5c691492d759c59f10c2f140927336a3c2ea115ff0ca3a50dd4c
Opcode Fuzzy Hash: 3560a8804f834f023d5013b3b9b0bd052bcc1f975fe879a406547539e623c809
Instruction Fuzzy Hash: 2351BB75A042159FCB28DF58C4D0EA9B3B5EF44B04B29459AD849AB351D731FE05CBA0

Function 0588097A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: a79f6b3355ed0f3ab0c56e09ac90e2c5c3758b26ebc70525b68ae7a1c3c8f774
Instruction ID: 81e29e130c28db9c0a4a6ac2424b40d734be9224d8ab03cd2ff60fb893f92022
Opcode Fuzzy Hash: a79f6b3355ed0f3ab0c56e09ac90e2c5c3758b26ebc70525b68ae7a1c3c8f774
Instruction Fuzzy Hash: 8E5107EB60D218EDF212E5911B58AFA6A6FE7C3338B3084B6FC17D6142E6944E4D5131

Function 058809C2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID: {}n
API String ID: 0-3130782868
Opcode ID: 2c899945bfc44f8c7904ae31a0ccef1ae831f757f4c82e4c96e558e9238e084e
Instruction ID: 8f9ff98287b9fccb860c3a7f2fc532454d73dd3bd04059e0a2c1b592f2574c5e
Opcode Fuzzy Hash: 2c899945bfc44f8c7904ae31a0ccef1ae831f757f4c82e4c96e558e9238e084e
Instruction Fuzzy Hash: 095123EB60D218EDF212E5812B58AFB666FE7C3338B308476FC17D6246E6944E4D5131

Function 0588099A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: 3d95b0548e31fc4c6195afd52d8ddabc41834ca9597e1ae7e3c29a89b38fcb84
Instruction ID: f8de00079da344595026db5c1da47da963f54c8e54c731945c198f007b6d80ab
Opcode Fuzzy Hash: 3d95b0548e31fc4c6195afd52d8ddabc41834ca9597e1ae7e3c29a89b38fcb84
Instruction Fuzzy Hash: 4441F1EB60D218EDF212E9912B58AFB666FE7C3738B308476FC07D6242E6944E4D5131

Function 058809AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: 847b8f144d6c2a30c03a9f7d25e97c6184db2fce5a451007ae1f116dcbb60bfd
Instruction ID: e849d73ff684fe8c5c302e98fc6db43e6e31c585f259aebfcbe037b37632c804
Opcode Fuzzy Hash: 847b8f144d6c2a30c03a9f7d25e97c6184db2fce5a451007ae1f116dcbb60bfd
Instruction Fuzzy Hash: B241F2EB60D218EDF212E5912B58AFA666FE7C3738B308476FC07D6142E6944E4D5131

Function 05880A21 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: af4f5a5d55a304b799ffc9b4fd64587b19a12c0b4cf71f638a52dd213ee9eebb
Instruction ID: 6538eead7ea1fdf081ad8a963716c8add2fb6a2bfe67427748c717f900394235
Opcode Fuzzy Hash: af4f5a5d55a304b799ffc9b4fd64587b19a12c0b4cf71f638a52dd213ee9eebb
Instruction Fuzzy Hash: C541BEFB20D11CFDB212E9812B28EF766AFE6C6738B308466FC07D6506E6944E8D5131

Function 05880A2E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: 48b7d24dea961620d5b5726c37661ad850c2a65c89c610628f8609addf1da65b
Instruction ID: 77650be23e2597eaeb075fb028f1998a8921b401995c8f6e7247a884b0535ce9
Opcode Fuzzy Hash: 48b7d24dea961620d5b5726c37661ad850c2a65c89c610628f8609addf1da65b
Instruction Fuzzy Hash: 0341BCFB20C11CFDB612E9822B18EFB66AFE6C67387308462FC07D6506E6944E8D5131

Function 05880A4A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: b14890acd43c2e2cae82c13cdd090092ddf06b3fa0d98a80bfbda2c401214f3b
Instruction ID: 8ea826dd0008b243b67286ac8960070a28c4612f8e92aeec7921c89a442a4543
Opcode Fuzzy Hash: b14890acd43c2e2cae82c13cdd090092ddf06b3fa0d98a80bfbda2c401214f3b
Instruction Fuzzy Hash: 9D31BDFB60C11CFDB212E9822B18EFB66AFE6C67387308462FC07D6506E6944E8D5131

Function 05880A8B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: 53917405ea156a1d76801d2e164fd8fcd4b2b528975a2225d06cf986fbe85c30
Instruction ID: 1ae63a1b1f42bd997774e985c2a20764a9ecda58c1ea01e9bb9105fbe006ff16
Opcode Fuzzy Hash: 53917405ea156a1d76801d2e164fd8fcd4b2b528975a2225d06cf986fbe85c30
Instruction Fuzzy Hash: C331B1EB60C118FDB212E9812B58EFA6BAFE6C77387308466FC07D6246E7914E4D5131

Function 05880A78 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: d71fc074752f754cde22658ff49b8c05d1991165f2b29f65657f7bf435dae9f8
Instruction ID: c405fdaea113e6ba4e50d8e02d04a2c5d889628dba6e4bc0ee7eff8520702065
Opcode Fuzzy Hash: d71fc074752f754cde22658ff49b8c05d1991165f2b29f65657f7bf435dae9f8
Instruction Fuzzy Hash: FE31CFFB20C218FDB612E9812B18EFA66AFE6C77387308466FC07D6106E7944E4D9131

Function 05880AA8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: c4fdf037427200237ee2d93815f817a99d844d1a98c786de7b3feb04a3ae135e
Instruction ID: 0f75071667b5f84dc809ef2066cdcd459ddedf8524fbd7abf32bf97e05bb52b1
Opcode Fuzzy Hash: c4fdf037427200237ee2d93815f817a99d844d1a98c786de7b3feb04a3ae135e
Instruction Fuzzy Hash: 8131BEEB20C118FDB252E9812B18AFA66AFE7C37387308472FC07D6246E7944E4D5131

Function 05880AED Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: c330ac68956a99b38e84efce325649ca56814418e7a6f095b2250ff1e30cc69c
Instruction ID: 6e43bcb00acfb4252b19b8c63fd89b93a1f1c61fe2359b0c26f072776a653ef8
Opcode Fuzzy Hash: c330ac68956a99b38e84efce325649ca56814418e7a6f095b2250ff1e30cc69c
Instruction Fuzzy Hash: 9731C1FB20C118EDB212E9822B18AFB66AFE7C27387308472FC07D6246E7944E4D5131

Function 00E04942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O, xrefs: 00E04A93, 00E04A61, 00E04AAB, 00E04AC7

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: O
API String ID: 0-1003900172
Opcode ID: 6dd8a39adf44e6e22b67b331b9d5f467a46f61c2ee85d80b5f560068db17ac23
Instruction ID: c0c0002f4fa056b4908c1903c81d1283a65237b14587e0fcaf87d296986a6ab3
Opcode Fuzzy Hash: 6dd8a39adf44e6e22b67b331b9d5f467a46f61c2ee85d80b5f560068db17ac23
Instruction Fuzzy Hash: 4951B7F0B00108AFDF14DF58C941AAABBF1EF89354F249158F9496B2D2E3719E81CB90

Function 05880AD2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05880AF7

Strings

{}n, xrefs: 05880BEC

Memory Dump Source

Source File: 00000000.00000002.4153535392.0000000005880000.00000040.00001000.00020000.00000000.sdmp, Offset: 05880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5880000_LisectAVT_2403002A_140.jbxd

Similarity

API ID: CurrentProfile
String ID: {}n
API String ID: 2104809126-3130782868
Opcode ID: 53373867391c24f05c0300e6e7dce6e2d6c3d698d03f5baca736e57064c911de
Instruction ID: 16093d9234e5425c8741ba47e4722a85954899e17e538c25dbf690636568785c
Opcode Fuzzy Hash: 53373867391c24f05c0300e6e7dce6e2d6c3d698d03f5baca736e57064c911de
Instruction Fuzzy Hash: 9231C1FB60C11CEDB212E9811B18AF766AFE7C67387308462FC07DA146E7A04E4D9130

Function 00E14623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f87ea318735bf93fa886d17571dabad0c6021ff069577edaab22609ed760afb8
Instruction ID: 5c31d36a620e160544f3308a8dcb40e9f9e04e41f3169f7fe4dbd6fb12eed9b5
Opcode Fuzzy Hash: f87ea318735bf93fa886d17571dabad0c6021ff069577edaab22609ed760afb8
Instruction Fuzzy Hash: 28B1D0B0A04249AFDB159FA9E841BEEBBF1AF85304F146158F550BB3D2C7709D81CB60

Function 00D2A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00D2A343

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 5ee5233dc9acc3f43b69b9799ea002ff7af5cae4de79c54e4c72077a93d55f5b
Instruction ID: 31968ab9b5ac19846eeb6c5a42c42af1d7205e6b3d11a6a42e4579e88ee37987
Opcode Fuzzy Hash: 5ee5233dc9acc3f43b69b9799ea002ff7af5cae4de79c54e4c72077a93d55f5b
Instruction Fuzzy Hash: F8711671900214AFDB14DFACEC49BAEB7E8EF41704F14856DF8099B282D7B5D94187A2

Function 00E1549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00E09087,?,00000000,00000000,00000000,?,00000000,?,00D2A3EB,00E09087,00000000,00D2A3EB,?,?), ref: 00E15621

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a54de33de4c6f77a68e747eb5ac1a9cd597f064c151fa1df11c0ecc5938852c5
Instruction ID: 1778f1c028e369fbeb63ecfeb22aa85c4639933c1a563ee1ef4db26dd8999dd1
Opcode Fuzzy Hash: a54de33de4c6f77a68e747eb5ac1a9cd597f064c151fa1df11c0ecc5938852c5
Instruction Fuzzy Hash: 8D61D4B2D00509EFDF11DFA8C844EEEBBBAAF89308F541149E800B7255D371D981CBA0

Function 00D90560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D906AE

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 5825870caf0014ef11b162317af7577ba7edb31eb510b0288f6893433ccbfd13
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: 7141B172A001189FCF15DF68E9806AE7BE5AF89350F1542AAF815EB342D730DD609BF1

Function 00E14B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00E149F9,00000000,CF830579,00E51140,0000000C,00E14AB5,00E08BBD,?), ref: 00E14B68

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 92c6c7bf6078766b85db76bcf9f736bd32c2c968cc82561822dd2c25a4643d29
Instruction ID: b6c5fc75219d61b1605a4c9f96937aab27b975c69e24757555b1d73bd5787fba
Opcode Fuzzy Hash: 92c6c7bf6078766b85db76bcf9f736bd32c2c968cc82561822dd2c25a4643d29
Instruction Fuzzy Hash: AB116BB374A1141AC72422B46C09FFE67C98B82778F3D221DF814BB2C2EE60ECC15155

Function 00E0E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00E50DF8,00D2A3EB,00000002,00D2A3EB,00000000,?,?,?,00E0E166,00000000,?,00D2A3EB,00000002,00E50DF8), ref: 00E0E098

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 57415cbfcd9dc791843391966df2c7fade6b14bf286cccdd9bfbe8ec8f2036f6
Instruction ID: 53fa28984a30f1bafcc7e5297224e14e9ef364a3e23895abf495a1bc9db2eb5d
Opcode Fuzzy Hash: 57415cbfcd9dc791843391966df2c7fade6b14bf286cccdd9bfbe8ec8f2036f6
Instruction Fuzzy Hash: D101F932614219AFCF15DF59CC05C9E7B69DB81334B341658F890BB2D1E6B1ED819BD0

Function 00DFF290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00D2220E

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 31cd7e249cfde1dc418a58985caa0acdc3abfaa63db44c906279af9edcb37909
Instruction ID: 29545cc48899358ad9b1f533f440f77292fbb1c343f2eeb32b0f54aea6623bdb
Opcode Fuzzy Hash: 31cd7e249cfde1dc418a58985caa0acdc3abfaa63db44c906279af9edcb37909
Instruction Fuzzy Hash: 99012B3550030DBBCB14AF98EC029A977ECDE00314F14C435FB18EB991E770E99487A4

Function 00E163F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00E091F7,00000000,?,00E15D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00E0D244,00E089C3,00E091F7,00000000), ref: 00E16435

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fac18176b3e75ec29b54ca59d0cd0732fd6fcce98546baf151b7703e640a4019
Instruction ID: 62e5de23e57c9649fb24c09aca27569df966be724721ce8f98f77e6aa5267dc3
Opcode Fuzzy Hash: fac18176b3e75ec29b54ca59d0cd0732fd6fcce98546baf151b7703e640a4019
Instruction Fuzzy Hash: 30F0893150522466DB216B629C06BDF7B9AFF41768F15B455BD28B61C0CB30EC9186F1

Function 00E16E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00E1D635,00000000,?,00E1D635,00000220,?,W,00000000), ref: 00E16E60

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: eb244c6205ba0b4a87dc00121d82e144ea96ca3290f8de8c35e58b1bc3550621
Instruction ID: 96eb37e2e0eb1d71e016fa144ece7eb1a7539627e1e6b7704dba17b9b62353a1
Opcode Fuzzy Hash: eb244c6205ba0b4a87dc00121d82e144ea96ca3290f8de8c35e58b1bc3550621
Instruction Fuzzy Hash: 2DE0ED391006216ADE3022A6ED00BDB768DCF823A5F053721BD16B60D0CB20CAC082E4

Function 058902DB Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479dccd83ff6072a932cdb467727282e91ad892144bc03e743fc5c00728b04e8
Instruction ID: 20351ebfc694b05a869dbc5ef3dead3e95d59a39b746aac5c89d0e00c71f7bab
Opcode Fuzzy Hash: 479dccd83ff6072a932cdb467727282e91ad892144bc03e743fc5c00728b04e8
Instruction Fuzzy Hash: E61101B760C318EFBB4AD5A6679C57B77AAFAD32343388476F802C3002E5649D0A6130

Function 058902D6 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e89c4420c8d4c63f8315a01a48ac90e6eae488226843e61396cd5facd8d22d4d
Instruction ID: 16f020d2e6140dc3a94300e535ee657308b70cc93c43bdc26a3de1b3a6aaa337
Opcode Fuzzy Hash: e89c4420c8d4c63f8315a01a48ac90e6eae488226843e61396cd5facd8d22d4d
Instruction Fuzzy Hash: 1001F1B760C228EF7A0AD1926B8857B779BE9D22383788076FC07C3102E5588D0A7130

Function 0589038A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e384c37903b0c282a71a9225d6031304e33b0bb9b9efa59919f9003b3c246075
Instruction ID: 22da2b0235966a53d91a16300da1090f0793dc069dc7c80978edbdd70efcf508
Opcode Fuzzy Hash: e384c37903b0c282a71a9225d6031304e33b0bb9b9efa59919f9003b3c246075
Instruction Fuzzy Hash: 530147E7A08218EF771AE0A2169D6BAB757EAC22383784439FC03D7102F4058D0A6020

Function 0589036C Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b67f3afa15b0067caddc8372acb88cf72762ca6a4b89fc09345d2501bcd4cbf
Instruction ID: ac0e2a6088c2bf5300992e512944d9cb9ea5616d7f5090f28e70cdbe14dfec7b
Opcode Fuzzy Hash: 5b67f3afa15b0067caddc8372acb88cf72762ca6a4b89fc09345d2501bcd4cbf
Instruction Fuzzy Hash: 450147E3A0C218EFFB59D192668967B7797E6C32387784476FC03DB202F5548D0A3121

Function 0589032B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ea226ba3317518a176b4f07b933008cafac75dff16cf2b1ab4028a4b48957ad
Instruction ID: 648f358096cc0f12e3d19f6d88f3729f837c928e639b8bd32e48983f2b5f8bcc
Opcode Fuzzy Hash: 6ea226ba3317518a176b4f07b933008cafac75dff16cf2b1ab4028a4b48957ad
Instruction Fuzzy Hash: E5017BF7608218EF770AE1622A9D1FBB717E6C22383384479FC03D7142E4549E0A6020

Function 05890303 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75f93a8058da59b374bb2c1f3a18e9a3971f146377ed3c074545309c2f3d0519
Instruction ID: 79344cd92cb3052632faba7948f55423fe68c8f48540180e00c27d1174e1ef7d
Opcode Fuzzy Hash: 75f93a8058da59b374bb2c1f3a18e9a3971f146377ed3c074545309c2f3d0519
Instruction Fuzzy Hash: 010121B760C218EFBA09E196278857B775BE5C22383788476FC03C7102E5948D0A3130

Function 0589034E Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78af77e6e5c4d4653d5796d9f41e5653ecf99fb71da967a7dfe802b1d828cc1
Instruction ID: 482c75c0f148334fd0718e7f459bf366bee1c05f00275bc747105a1dfc95de33
Opcode Fuzzy Hash: f78af77e6e5c4d4653d5796d9f41e5653ecf99fb71da967a7dfe802b1d828cc1
Instruction Fuzzy Hash: 690170B360D114DFAB16C19129985BB7757E9C323833844B5FC42D7002E5594E0B6131

Function 058903B9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f156f0975e0530a888170cec49e92ab675148ab509844de14e56345bc37dbde8
Instruction ID: 4cb0337014280b132e1b02488b5b70d62499620873877e03bf058dd601ae3b83
Opcode Fuzzy Hash: f156f0975e0530a888170cec49e92ab675148ab509844de14e56345bc37dbde8
Instruction Fuzzy Hash: 0CF0E2B771C229EF7A19E0A7664C5BF766BA5C22383788036F802C3002E5588D0A3130

Function 058903A7 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce276e338e20242aad05af2d396e36b2d6d741b92c0630cb9b6a4fc32dd59f60
Instruction ID: d0bfe60d67e4231fa303e6b721b7786dcf67b123c17913c4c0ba27e16f01e672
Opcode Fuzzy Hash: ce276e338e20242aad05af2d396e36b2d6d741b92c0630cb9b6a4fc32dd59f60
Instruction Fuzzy Hash: 58E02BBB71C21CDE6715F0A626985BB7797D5C12383B48072F802D3401E569880F6130

Non-executed Functions

Function 00D39F50 Relevance: 19.8, Strings: 14, Instructions: 2331COMMON

Download Yara Rule

Strings

131, xrefs: 00D3A178, 00D3A17F, 00D3A190
type must be boolean, but is , xrefs: 00D3BF3C, 00D3BF6D, 00D3C02B
., xrefs: 00D3AB30
irvl, xrefs: 00D3A527
|N, xrefs: 00D3A2D3
%s|%s, xrefs: 00D3A198
kwbt, xrefs: 00D3A4CE
arqt, xrefs: 00D3A4C7
$, xrefs: 00D3BD6D
,, xrefs: 00D3A6AF
:, xrefs: 00D3A097
,, xrefs: 00D3A5D2
., xrefs: 00D3B0E2
|N, xrefs: 00D3A321

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: $$%s|%s$,$,$.$.$131$:$arqt$irvl$kwbt$type must be boolean, but is $|N$|N
API String ID: 0-3825697014
Opcode ID: 22dec3f6252744b51e5bc7026f49acc0156f32b390a23ba4d94900cd4e2b51e4
Instruction ID: 10dca8d94dd00a5a0aae62a85abf6be4cf4785908b823db4f36ff86f37e28c5f
Opcode Fuzzy Hash: 22dec3f6252744b51e5bc7026f49acc0156f32b390a23ba4d94900cd4e2b51e4
Instruction Fuzzy Hash: 7523C070D002588FDB28DF68C859BEDBBB4EF05314F188199E549AB292DB359E84CF71

Function 00D28D70 Relevance: 9.1, Strings: 7, Instructions: 327COMMON

Download Yara Rule

Strings

t, xrefs: 00D28E37
l, xrefs: 00D28FB0
p, xrefs: 00D28DBE
File, xrefs: 00D28F73
bkg`, xrefs: 00D28DB7
lwcf, xrefs: 00D28FA9
eHlW, xrefs: 00D28FA2

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: File$bkg`$eHlW$l$lwcf$p$t
API String ID: 0-3184506882
Opcode ID: 3cfd3b9d2593f7ed9bf469cff4b0949a3b6b26783333687982fdd9b7a57818e6
Instruction ID: 69462f5a0a51195fc5a1420c0c77d3de9c3d00ad6c8ed14f7a6528d81e861763
Opcode Fuzzy Hash: 3cfd3b9d2593f7ed9bf469cff4b0949a3b6b26783333687982fdd9b7a57818e6
Instruction Fuzzy Hash: FDC1CC70D0022DAEEF24CFA4DC95BEEBBB9EF04304F144069E504BB281DB719A45CB65

Function 00D973F0 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 897COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00D978C7

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: e823d01d0b6b5db39bd1a0d973ed913041dea7122c3e3cbdc6003bc2fc3aa794
Instruction ID: bf8d2d45b5bebbac8281da98d29c7bf4628705747ad46e018c7d08bd180291f1
Opcode Fuzzy Hash: e823d01d0b6b5db39bd1a0d973ed913041dea7122c3e3cbdc6003bc2fc3aa794
Instruction Fuzzy Hash: BF626171E046199FCF14DF6CC8806ADBBF5FF48314F288269E819AB395D730A951CBA0

Function 00E084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: e33f6df9bb4a2ca3f8a116d4ce7e6e5c96ebe36a9e363b98f1bf169ae0e08209
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: 3A024C71E002199BDF14CFA8D9806AEBBF1FF48314F65926AD559F7380DB31A941CB90

Function 00D950B0 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

type must be number, but is , xrefs: 00D95241
/Kim, xrefs: 00D952C2
type must be string, but is , xrefs: 00D95114
/Kim, xrefs: 00D952A9

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: 5dac5ed0456a3fb97de4868f27ec2a4fa7ca7341f39aff0eaae5eb4d273565aa
Instruction ID: dd5d58e9a61f134a896faab065cc1db64e51eda3e23aea1e686827ec85ec9db2
Opcode Fuzzy Hash: 5dac5ed0456a3fb97de4868f27ec2a4fa7ca7341f39aff0eaae5eb4d273565aa
Instruction Fuzzy Hash: 70912672E006189FCB08CF6CE8517DDB7A9EB88310F14827EE819E7395E6759D05CBA4

Function 00D291A0 Relevance: 4.9, Strings: 3, Instructions: 1146COMMON

Download Yara Rule

Strings

\, xrefs: 00D29528
/, xrefs: 00D294E2
/\/, xrefs: 00D2956A, 00D2959C

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: /$/\/$\
API String ID: 0-1523196992
Opcode ID: fea12d3e870321bf3c406ad8b8ef7202e3e3e1bbe853536c70fe5de0b34205fb
Instruction ID: 8b2292ee533f1bc205eb28c6c1d189ff274c69c59c6061fb7cf2a6b4d33499be
Opcode Fuzzy Hash: fea12d3e870321bf3c406ad8b8ef7202e3e3e1bbe853536c70fe5de0b34205fb
Instruction Fuzzy Hash: 3F920371D002688FDF14CFA8D8A46EEFBB5EF65318F1842ADD445A7281E7319A46CB70

Function 00DA55B0 Relevance: 3.9, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

`ic, xrefs: 00DA583C
eIcm, xrefs: 00DA5835
yNrw, xrefs: 00DA5764

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: `ic$eIcm$yNrw
API String ID: 0-2666854388
Opcode ID: 7a86bae7b52eba615fee289beb30cc65518e57e864a21739d599d2851cc85f02
Instruction ID: 98e65c1022540c7b5d7abd55b29d2b8e86bdc8fd105b47cc46818069e46eee92
Opcode Fuzzy Hash: 7a86bae7b52eba615fee289beb30cc65518e57e864a21739d599d2851cc85f02
Instruction Fuzzy Hash: C9815EB0C1834CAEDF08CFA4D8456EEBBB9EF56300F50809ED841AB651D7794249CBA5

Function 00D224F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

L, xrefs: 00D225C7
L, xrefs: 00D226B7

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: L$L
API String ID: 0-2020623011
Opcode ID: b48b70bf9382fe97d0301a7da437dc2734cc316c4374f6c1f4245a383f391751
Instruction ID: 2376f9278fbf3146856db9ff1b1b8166427a4f1ee06d62e91dd93712ed309e70
Opcode Fuzzy Hash: b48b70bf9382fe97d0301a7da437dc2734cc316c4374f6c1f4245a383f391751
Instruction Fuzzy Hash: A4712BB5D00266AFEB15CF69D8D07BEFBB5EB25308F040169E854A7782C734994AC7B0

Function 00E0BEAF Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

0, xrefs: 00E0C01F

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 092342815b528e5b6d63dfea02b3071fef9f829637cb8f720479addf4d7ba7a6
Instruction ID: cacdeef65ab65dd375915412138dbd5edeb1cb51f0ca4e1a3ccf1c0d514a4593
Opcode Fuzzy Hash: 092342815b528e5b6d63dfea02b3071fef9f829637cb8f720479addf4d7ba7a6
Instruction Fuzzy Hash: CCB19D74A00646CFDB24CF68C890ABAB7B1FF05318F246719D9A6B72D2C731A985CB51

Function 00DFF26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00DFEC78,?,?,?,?,00D340EB,?,00D83C2E), ref: 00DFF283

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: c71a697dad466f9985d77cd5b209e2c945a1bc26970b453906732feb2ede54f1
Instruction ID: 666320d41ff0c8ec904a2a9fc41817ade8dc7ce9524264339b00e58e2632c319
Opcode Fuzzy Hash: c71a697dad466f9985d77cd5b209e2c945a1bc26970b453906732feb2ede54f1
Instruction Fuzzy Hash: 2FD0233654113C5745152BC1EC0487D77184F05750305C437DA06A3214CA515C0497E8

Function 00DA9880 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23d34740a60a0db1b62212d6abb4e08803f85f86d99ede1b5ff6f02f411aedd
Instruction ID: 093313ad08e3335fb49e2216bfd04048b75112eed78c0c90738b4c90da224c55
Opcode Fuzzy Hash: d23d34740a60a0db1b62212d6abb4e08803f85f86d99ede1b5ff6f02f411aedd
Instruction Fuzzy Hash: 82627EB0E002149FDF18CF59C5946ADFBF1AF8A304F2881ADD854AB346D735DA46CBA1

Function 00E1F771 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4165833f375aa6f93db41442aa3d2db10f8894533c30b66aecbf6731423fbca4
Instruction ID: 8ab964d10460bff41626fa1aa29ab215042c3e2094e8bef37340d3b961ca23c6
Opcode Fuzzy Hash: 4165833f375aa6f93db41442aa3d2db10f8894533c30b66aecbf6731423fbca4
Instruction Fuzzy Hash: 57B1F3755007059BDB38AB64C892BFBB3E8EF44308F14553DE987E6580EA74E9C5CB90

Function 00E19824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44ad2981917a24add3c60b808d8dcaed526cfc4870c14c63f841f31c918598d9
Instruction ID: 1cd0388ff8267392d883448905b843e6f55ce177b4d0f1d38f23806f98a41a61
Opcode Fuzzy Hash: 44ad2981917a24add3c60b808d8dcaed526cfc4870c14c63f841f31c918598d9
Instruction Fuzzy Hash: D8B15C316106089FD719CF28C496BA57BE0FF45368F29965CE8DADF2A2C335E985CB40

Function 00DA6550 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671abae2bab33ba2931d639338142cd433631808412e7dd3e373e866f7148ca1
Instruction ID: b4ee744930fdf2134fb077667150184438755e70a34458edaea6b66f05fe0faf
Opcode Fuzzy Hash: 671abae2bab33ba2931d639338142cd433631808412e7dd3e373e866f7148ca1
Instruction Fuzzy Hash: 666146316101688FD714CF5FECC45263B66A78A30138B465AEBC1E73A6C735E92AD7A0

Function 00D34100 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d41d7c835665e109860553638f6406abd3f5ffd56976e93abe4b39ce6e5217a9
Instruction ID: ca868961e59976fcc83e6e1af5a851ada769ba7c3a7f1cf4b308248743d7ed8d
Opcode Fuzzy Hash: d41d7c835665e109860553638f6406abd3f5ffd56976e93abe4b39ce6e5217a9
Instruction Fuzzy Hash: 2F518AB1E002099FCB18DF98D881AEEBBB5FB89310F14456DE419B7351D734AA44CBB4

Function 00E0646A Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction ID: 5e78e8d15e46bf434feb5ff5b9f72dda89f5d3c8b3fe07f843f060ae6eff4d51
Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction Fuzzy Hash: B4517F72D00219AFDF14CF98C941BEEBBB6FF88314F198459E915BB241D7349A90DB90

Function 00E02CE0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4a5acded9e1cefecb4742504c38a2508f82e5ddf140e4e10c2334e52e6ac2773
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: D3112BB724048243D6148A2DD8BC6B7E3D5EBD532872DA37ED3416B7D8E232DDC5A500

Function 058900F1 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4153594520.0000000005890000.00000040.00001000.00020000.00000000.sdmp, Offset: 05890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5890000_LisectAVT_2403002A_140.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af693d005e482924849b0b30b0cd8be0c2d69ec03865d89ae0304c4a11bc5417
Instruction ID: 3517beee5a6939466f9f3070b09a40e0701655ea368aa04b89e99042f6a0f558
Opcode Fuzzy Hash: af693d005e482924849b0b30b0cd8be0c2d69ec03865d89ae0304c4a11bc5417
Instruction Fuzzy Hash: 9EF02BD314C769EEA94FF0490A585B63B5FE1973743388137FC07CE153D2584D4A1121

Function 00D8F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D8F833
std::_Lockit::_Lockit.LIBCPMT ref: 00D8F855
std::_Lockit::~_Lockit.LIBCPMT ref: 00D8F875
std::_Lockit::~_Lockit.LIBCPMT ref: 00D8F89F
std::_Lockit::_Lockit.LIBCPMT ref: 00D8F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D8F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D8F973
std::_Lockit::~_Lockit.LIBCPMT ref: 00D8FA08
std::_Facet_Register.LIBCPMT ref: 00D8FA15

Strings

bad locale name, xrefs: 00D8FA2F
", xrefs: 00D8F96B, 00D8F972

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$"
API String ID: 3375549084-2690866413
Opcode ID: d9d42386952f5705d3519ce29dfa303eeab9643dab5d31719fb4814e3f958a52
Instruction ID: c420e41be4601b67c7825a82e70dbf389e6c02ecce4f406ad9a7fd15af60d913
Opcode Fuzzy Hash: d9d42386952f5705d3519ce29dfa303eeab9643dab5d31719fb4814e3f958a52
Instruction Fuzzy Hash: AA616AB1D002189BEB10EFA4D845BAEBBB5EF14310F194469E845AB391EB74A905CBB1

Function 00E02E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E02E47
___except_validate_context_record.LIBVCRUNTIME ref: 00E02E4F
_ValidateLocalCookies.LIBCMT ref: 00E02ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00E02F03
_ValidateLocalCookies.LIBCMT ref: 00E02F58

Strings

csm, xrefs: 00E02EED
i, xrefs: 00E02F78

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: i$csm
API String ID: 1170836740-3794079885
Opcode ID: 1bff35a80dd7eed352c34217291d2592b440fa98577ea907ca0cda7bc6edc40b
Instruction ID: 5e7c52d7aa93ff0bd0bdcf228ec167a0967e1cf7773c3732a0c9af291f451ea3
Opcode Fuzzy Hash: 1bff35a80dd7eed352c34217291d2592b440fa98577ea907ca0cda7bc6edc40b
Instruction Fuzzy Hash: E541E970A002099FCF11DF68C889A9EBBF5AF44318F149059EA14BB3D2D731DE85CB91

Function 00D239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D23A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D23AA4
__Getctype.LIBCPMT ref: 00D23ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00D23AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00D23B7B

Strings

bad locale name, xrefs: 00D23B96

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: acd4eea1911e16d700ee583830f9a3a003f4ec2fb14d14e73230a6883c4f80df
Instruction ID: 5b52c7d6ae6be47f0a44d75de73c59b24666711f66312925afd696ce8d6b683e
Opcode Fuzzy Hash: acd4eea1911e16d700ee583830f9a3a003f4ec2fb14d14e73230a6883c4f80df
Instruction Fuzzy Hash: 865130B1D003589BDB10DFA4D845B9EBBF8EF14314F188069E909AB381E779DA04CB71

Function 00D8DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D8DE93
std::_Lockit::_Lockit.LIBCPMT ref: 00D8DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 00D8DED6
std::_Facet_Register.LIBCPMT ref: 00D8DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D8DF63
Concurrency::cancel_current_task.LIBCPMT ref: 00D8DF7B

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 187a4b6aa1f4cb07ee34edf1e9779fb240d34cda7534d035825e020420355cef
Instruction ID: 99c12765cce4eab2a10584ce4c515890b48f97e6ca0c1e0a0da5727eb53755b5
Opcode Fuzzy Hash: 187a4b6aa1f4cb07ee34edf1e9779fb240d34cda7534d035825e020420355cef
Instruction Fuzzy Hash: CC41E1719002599FCB14EF58D841A6EBBB6FF50310F144668E945AB3D2D730AD04CBF1

Function 00D24C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D24F72
___std_exception_destroy.LIBVCRUNTIME ref: 00D24FFF
___std_exception_copy.LIBVCRUNTIME ref: 00D250C8

Strings

recursive_directory_iterator::operator++, xrefs: 00D2504C

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 151531db8f738f72140fa2157602545381d5dbc150a7f1631c21989a9c8415ac
Instruction ID: bd10c1e2204a00ec880deadfd1e1331cda223fbef29b90b1bba0d51085b4943a
Opcode Fuzzy Hash: 151531db8f738f72140fa2157602545381d5dbc150a7f1631c21989a9c8415ac
Instruction Fuzzy Hash: 67E124B19002049FDB18DF68E845BAEB7F9FF44700F148A2DE856A3781D774A944CBB1

Function 00D27820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00D2799A
___std_exception_copy.LIBVCRUNTIME ref: 00D27B75

Strings

type_error, xrefs: 00D2784A
out_of_range, xrefs: 00D27A27

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: f79c607325ee9d092274a5225edbb507e881eda4d3eac8f7cc169e34302ceb33
Instruction ID: 0f2d01505593f80958d6d6355b465ad299adfc2af31b42ebe2677cb2737c71d6
Opcode Fuzzy Hash: f79c607325ee9d092274a5225edbb507e881eda4d3eac8f7cc169e34302ceb33
Instruction Fuzzy Hash: EFC168B19002189FDB18CFA8E98479DFBF1FF49310F14866AE419EB781E7749980CB61

Function 00D22270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D22275

Part of subcall function 00DFD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00DFD6F5

Strings

L, xrefs: 00D22347
L, xrefs: 00D22427
string too long, xrefs: 00D22270

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$L$L
API String ID: 1997705970-3008666486
Opcode ID: a58f9060ca3d115a213af190cadb07fbf8788cb861d298d5b60447f4d7ca602a
Instruction ID: 8a502bb09a3277092bf086fb81557303d0aa67f9141c3508cbd8e40007b3c93d
Opcode Fuzzy Hash: a58f9060ca3d115a213af190cadb07fbf8788cb861d298d5b60447f4d7ca602a
Instruction Fuzzy Hash: EC812175A04295AFDB05CF68C4507FDBBF1EF6A304F18419EE894A7782C3658546CBB0

Function 00D273B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D275BE
___std_exception_destroy.LIBVCRUNTIME ref: 00D275CD

Strings

at line , xrefs: 00D273F7
, column , xrefs: 00D27434, 00D2744A

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 3d53d2a4b37ec84d9670e74abaf582749c1a968e8b419b8f58ac9cffc9074832
Instruction ID: 4a6b8b0cda11e8a106d81ae433271370a17586f6d1c8dca54f19468f52ae92f5
Opcode Fuzzy Hash: 3d53d2a4b37ec84d9670e74abaf582749c1a968e8b419b8f58ac9cffc9074832
Instruction Fuzzy Hash: 7D61F571A042149FDB18DF68EC85B9DFBF6FF44304F24862CE415A7B81D774AA408BA0

Function 00D23D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00D23E7F

Strings

ios_base::eofbit set, xrefs: 00D23E41, 00D23E63
ios_base::badbit set, xrefs: 00D23E17
ios_base::failbit set, xrefs: 00D23D32

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: b6208f2d8e3c4a35edaafe7a8085803fd8f27c942fa80abed92b8200fddef056
Instruction ID: 9ab6cf41562cefbb97202807d929837db02cf5e4326b2d65a2c2d516a45557b4
Opcode Fuzzy Hash: b6208f2d8e3c4a35edaafe7a8085803fd8f27c942fa80abed92b8200fddef056
Instruction Fuzzy Hash: 4741D7B2900214AFCB04DF58E845BAEB7F8EF58710F18852AF955E7741E774AA058BB0

Function 00D23DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00D23E7F

Strings

ios_base::eofbit set, xrefs: 00D23E28, 00D23E41, 00D23E63
ios_base::badbit set, xrefs: 00D23E17
ios_base::failbit set, xrefs: 00D23D32, 00D23E1E

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: d52c0e3f0c634a782df01a06be4cd2ef8671fae5e9081a2b42037b7d62bca7ec
Instruction ID: b11738e0bf25e5146083c0727a54ba40468fea444a69d2b8b98e04d1ffec4dd3
Opcode Fuzzy Hash: d52c0e3f0c634a782df01a06be4cd2ef8671fae5e9081a2b42037b7d62bca7ec
Instruction Fuzzy Hash: 8621EBB29003156BC714DF58F806B96B7E8AF54310F18893AFA68A7641E774EA14CBA1

Function 00D26F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00D27340

Strings

parse error, xrefs: 00D26FFF, 00D27018
parse_error, xrefs: 00D26F8B

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: 5e253fcdd7780dcf95bb47d0ca72f4f7e9cd562b003c4edfce8cd924ff65c799
Instruction ID: 9cf725ae14c55a0abbb76dfb28a914ed8bcd7e3149cddf3ef4e09b582037ebb9
Opcode Fuzzy Hash: 5e253fcdd7780dcf95bb47d0ca72f4f7e9cd562b003c4edfce8cd924ff65c799
Instruction Fuzzy Hash: D8E17D709042188FDB18CF68D985B9DBBF1FF49304F248269E418EB792D7749A85CFA1

Function 00D26C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D26F11
___std_exception_destroy.LIBVCRUNTIME ref: 00D26F20

Strings

[json.exception., xrefs: 00D26CB8

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: db91f23dbdbbb0fc02b0c3528b1359d1eccfaea858dd011208f086ab03d30b79
Instruction ID: 4010d413027c8c22268f29f66a887efa92e168628be1a00764bddace8ce50b1e
Opcode Fuzzy Hash: db91f23dbdbbb0fc02b0c3528b1359d1eccfaea858dd011208f086ab03d30b79
Instruction Fuzzy Hash: 2B91A270A003189FDB18CF68E984B9EBBF6EF55304F20856DE415AB792D771E981CB60

Function 00D9E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D9E491

Strings

type must be boolean, but is , xrefs: 00D9E582
type must be string, but is , xrefs: 00D9E4F8

Memory Dump Source

Source File: 00000000.00000002.4145669550.0000000000D21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000000.00000002.4145585056.0000000000D20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145669550.0000000000E53000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145882356.0000000000E58000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000E5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000000FE5000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.00000000010CB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.0000000001100000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000110C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4145908249.000000000111A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147310202.000000000111B000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4147570115.00000000012C2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d20000_LisectAVT_2403002A_140.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: f453e465752e26eb3167f3548aec6ce29610932599e86b6b3c51d926a53a576d
Instruction ID: 5995bf71652793140ce2ad4cfa703cd9ccd26f16c6d4b808263f2d1edffbf665
Opcode Fuzzy Hash: f453e465752e26eb3167f3548aec6ce29610932599e86b6b3c51d926a53a576d
Instruction Fuzzy Hash: E8416EB1904248AFDF14EBA4E802BAEB7A8DB10714F144679F415E7782EB35E944C7B2

Analysis Process: MPGPH131.exePID: 7348, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	0%
Total number of Nodes:	624
Total number of Limit Nodes:	62

Executed Functions

Function 00A83A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00A83DB6), ref: 00A83B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00A83DB6), ref: 00A83BBA

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 01bed4162a67f9c8f4f98040f6f801496c82fa7e738f510d64aae8c16ea8e2be
Instruction ID: e22e3a543ef316c1e262e008ca37abb12136734d42445eb14914160d3c598287
Opcode Fuzzy Hash: 01bed4162a67f9c8f4f98040f6f801496c82fa7e738f510d64aae8c16ea8e2be
Instruction Fuzzy Hash: 3F51BB76A042158FCF28EF58C4D4EAAB7B1EF44B44B298599D845AF311D732EE05CB80

Function 00A3E0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00A3E0CA
socket.WS2_32(?,?,?), ref: 00A3E17F
connect.WS2_32(00000000,?,?), ref: 00A3E193
closesocket.WS2_32(00000000), ref: 00A3E19E

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: eb15e9222f4f7fe6072cde27fb595f8355d929ac4c247841977754628f6ed95c
Instruction ID: a99e5e7770c33e941601438870cd032a2681422b81e80b3c96bc7f529f025db8
Opcode Fuzzy Hash: eb15e9222f4f7fe6072cde27fb595f8355d929ac4c247841977754628f6ed95c
Instruction Fuzzy Hash: 8131D372605310ABE720DF65DC4472BB7E4EB95734F004F1DF9A8A72D0D73599048BA2

Function 00B14623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a3a7be43b2b0dbf91ddf805ed8d7945e5722bdbbb36c4e537c045ef1b937f71
Instruction ID: ce2872535896564733247383b0585b669be3ed501a203cdfe5c62267cb5c27c9
Opcode Fuzzy Hash: 3a3a7be43b2b0dbf91ddf805ed8d7945e5722bdbbb36c4e537c045ef1b937f71
Instruction Fuzzy Hash: 93B1D470A04249AFDB11DFA8D881BEEBBF5EF46304F9441D8E544A72C1CB709D81CB60

Function 00A2A210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00A2A343

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 8c367c3aec955d43041cd823d5b158986750c373b038dda574dc07a3e579d3f3
Instruction ID: 8b0d85372e3af6bd12631feafcb8f4d598f3a0689ec83bab6a8976c0fea5a663
Opcode Fuzzy Hash: 8c367c3aec955d43041cd823d5b158986750c373b038dda574dc07a3e579d3f3
Instruction Fuzzy Hash: B1712671900214AFDB14DF6CEC49BAEBBE9EF41700F1085ADF8099B682D7B5DA41C792

Function 00B1549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00B09087,?,00000000,00000000,00000000,?,00000000,?,00A2A3EB,00B09087,00000000,00A2A3EB,?,?), ref: 00B15621

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: da6acde741f8a8484e167aee40d846217b08631e56b0226c89a0fe74747ab89d
Instruction ID: 24a406ae77e5b302c8ab0f9f10a3e84b6d6ecf640b9d2ab997e04310baef010a
Opcode Fuzzy Hash: da6acde741f8a8484e167aee40d846217b08631e56b0226c89a0fe74747ab89d
Instruction Fuzzy Hash: 6261B071900509EFDF21DFA8C884EEEBBFAEF99304F9401C5E804A7245D771DA918BA0

Function 00B04942 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66a76805cb1cdfe67d827dc33810e92775d23ac94a8e1b1f0d9303fe48d9589
Instruction ID: d95b735c852b77f9497c557fc0eaa37f114cc707a5c9b2b13344ef91c7e86b56
Opcode Fuzzy Hash: a66a76805cb1cdfe67d827dc33810e92775d23ac94a8e1b1f0d9303fe48d9589
Instruction Fuzzy Hash: D551A7B0B00208AFDF14CF58CC85AAA7FF5EF45354F248198F9499B292D3719E41CB94

Function 00A90560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A906AE

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 3ced867fdc23f4da8080688d01e28476eb7b291a2c70bcccc270a4040337e8a7
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: AF410372A001189FCF15EF68DD80AAE7BE5AF89380F1541A9F905EB342D770DD209BE1

Function 05060867 Relevance: 1.6, APIs: 1, Instructions: 71
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4153102222.0000000005060000.00000040.00001000.00020000.00000000.sdmp, Offset: 05060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5060000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8c431aa237d64640cb53e7b646a43edb03c208b8ca2f5e786ca1d8e58a02a472
Instruction ID: 2738256f240cfe555ca84fc9b7e7e30785feac3eef398a1d8b963ee39d67b888
Opcode Fuzzy Hash: 8c431aa237d64640cb53e7b646a43edb03c208b8ca2f5e786ca1d8e58a02a472
Instruction Fuzzy Hash: F70126EB1881052C7103D1912F38AFF676EEAD37307308476F403C3142E6D08A4D5071

Function 00B14B12 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00B149F9,00000000,CF830579,00B51140,0000000C,00B14AB5,00B08BBD,?), ref: 00B14B68

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b89a2c85ee3b509bf563dea5eef1b201c068cc0ce0c46ec2efb8a0eec7d4b995
Instruction ID: 24deaddaea6b20bba5a8679aef05b7cc6840326170e3144e66fc00ce07559b57
Opcode Fuzzy Hash: b89a2c85ee3b509bf563dea5eef1b201c068cc0ce0c46ec2efb8a0eec7d4b995
Instruction Fuzzy Hash: D7110432A492241AD6242674AC41BFF77D9CB827B4FB902C9F8589B1C2EF61FCC25195

Function 050608D6 Relevance: 1.6, APIs: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000A483), ref: 0506090E

Memory Dump Source

Source File: 00000005.00000002.4153102222.0000000005060000.00000040.00001000.00020000.00000000.sdmp, Offset: 05060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5060000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 39e7e4c65018134b7fb22dce3eba7563fed263b92f5e7859f3290547a2146c44
Instruction ID: 393cdf92a1d06dafd6c4432b9d7b04732213e8918da186b3f41a4fba6360eda3
Opcode Fuzzy Hash: 39e7e4c65018134b7fb22dce3eba7563fed263b92f5e7859f3290547a2146c44
Instruction Fuzzy Hash: 1EF059F728C112AC7212C6157B389FF239FE6C673033045B3F806C7105D2940E4A2132

Function 00B0E05C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00B50DF8,00A2A3EB,00000002,00A2A3EB,00000000,?,?,?,00B0E166,00000000,?,00A2A3EB,00000002,00B50DF8), ref: 00B0E098

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ed1835bb24364ab8f0312d1a1e6d6877c2f465c97bc90e8af911758e60c58406
Instruction ID: af9d95baeb797c7841522102fa61e20144a7253b4df892d0587314d883330971
Opcode Fuzzy Hash: ed1835bb24364ab8f0312d1a1e6d6877c2f465c97bc90e8af911758e60c58406
Instruction Fuzzy Hash: 4101D632610259AFCF159F59DC46C9E3FAADB81324B240688F8609B2D1FAB1ED51DBD0

Function 00AFF290 Relevance: 1.6, APIs: 1, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A2220E

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 5cafe8bfb2d3bcea12107c62a93f18105c9add137713c81c5c2a060ea11ac3a3
Instruction ID: 79f8b9c1d30464d9308d5327f2deb359ddcdac209f3203315d5acd858aebf106
Opcode Fuzzy Hash: 5cafe8bfb2d3bcea12107c62a93f18105c9add137713c81c5c2a060ea11ac3a3
Instruction Fuzzy Hash: A301DB7650030DBBCB14AFD8E801AA97BECDE00310F508575FB1CDB691E770E9548791

Function 0506096D Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000A483), ref: 0506090E

Memory Dump Source

Source File: 00000005.00000002.4153102222.0000000005060000.00000040.00001000.00020000.00000000.sdmp, Offset: 05060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5060000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 36c42164c4b443a664800f4258b9a0752c41f52ac4035676593e1a5e5d627743
Instruction ID: 63f9a80cf3a668dc6a01f891f13e8ab2acec5e956b2e68863c17d898206ee1d5
Opcode Fuzzy Hash: 36c42164c4b443a664800f4258b9a0752c41f52ac4035676593e1a5e5d627743
Instruction Fuzzy Hash: A4F082F73881126CB652D6197F38AFF139EF6C573073186A7F806C6145E2594D8A5132

Function 00B163F3 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00B091F7,00000000,?,00B15D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00B0D244,00B089C3,00B091F7,00000000), ref: 00B16434

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f9b7cb1e82295501ef5d8dcf885e7fa1ca8161beaec2feb89a21e95a4daad543
Instruction ID: 59ef0b6240c4488ee893e934ea2466738870c649178104c431c883da00793057
Opcode Fuzzy Hash: f9b7cb1e82295501ef5d8dcf885e7fa1ca8161beaec2feb89a21e95a4daad543
Instruction Fuzzy Hash: BFF0893254522466DB216B66DC17BDB7BC9EF41B64BA580E5BC04A73D0CF30EC9186F1

Function 00B16E2D Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00B1D635,4D88C033,?,00B1D635,00000220,?,00B157EF,4D88C033), ref: 00B16E60

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4d9f7d487e79edf1fe3382536426dbac8a6912d379ca25ba3ea72e477470d80d
Instruction ID: 067e740b4ba2643b2242dd052ced5e0f1b681c6bedee33a5a1eccb120da6747f
Opcode Fuzzy Hash: 4d9f7d487e79edf1fe3382536426dbac8a6912d379ca25ba3ea72e477470d80d
Instruction Fuzzy Hash: 2DE0ED3B14162166DE3022A5ED00BDBBBCCDF927A1FC507E1BC04920D0DF20CC8081E4

Function 050608E1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(0000A483), ref: 0506090E

Memory Dump Source

Source File: 00000005.00000002.4153102222.0000000005060000.00000040.00001000.00020000.00000000.sdmp, Offset: 05060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5060000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 87e6901fdf57aecb43f15c998be0325d52e0581338647e1f3d83216cab7fc97d
Instruction ID: 213e489657ad9c9713481e94bc83bf4a160dafb7e479a1e80732583767a63180
Opcode Fuzzy Hash: 87e6901fdf57aecb43f15c998be0325d52e0581338647e1f3d83216cab7fc97d
Instruction Fuzzy Hash: 13D0A7C32F45076CB6575F6517BC0BE3A47FA2B52933506B1A8468B106EB948A066BB0

Function 05060900 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(0000A483), ref: 0506090E

Memory Dump Source

Source File: 00000005.00000002.4153102222.0000000005060000.00000040.00001000.00020000.00000000.sdmp, Offset: 05060000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5060000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: de29493d07a198b57250018258ffcbe56263c2f580c7d607376ea71cf9c8f6a0
Instruction ID: ee18a1c8427322cbacfb1723e9717e9283d6e2834a184bef0cd82b944a4d76d7
Opcode Fuzzy Hash: de29493d07a198b57250018258ffcbe56263c2f580c7d607376ea71cf9c8f6a0
Instruction Fuzzy Hash: C4D022A22D88034FB6435338DF7A2EF278AFB22B10B100A70440AC7082EA74C4420062

Function 0507000B Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4153162404.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e95dcc0c7601ae4e3ea5aeacc84b018e6080b692559db0027ff727de5a29a07
Instruction ID: 8c95b34cd279ad005fbd2b16ab35018803d47bc4578103a0af9b294432efe577
Opcode Fuzzy Hash: 8e95dcc0c7601ae4e3ea5aeacc84b018e6080b692559db0027ff727de5a29a07
Instruction Fuzzy Hash: 9321A1AB68C2197EA192D5952B2C9FE7BAEE5C3770730843AF502C6403E2C40A4E6570

Function 05070000 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4153162404.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55dbc2b9d8dad70400db5181b06771dadf41a2b2be74c685f0ac16f8f63a629d
Instruction ID: 2ce794c8887b8a74e739c4cfedb8bb20807a74d724c8c17d98863cea6b9dfd79
Opcode Fuzzy Hash: 55dbc2b9d8dad70400db5181b06771dadf41a2b2be74c685f0ac16f8f63a629d
Instruction Fuzzy Hash: 07119AAB68C1597D718291922B289FE7E6EE5C3730730853AF903D6403E2C40A5E6570

Function 050700CA Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4153162404.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7555075ba1cc060057c86679b5f74449dc5d35ec1d200f814287566d9f8f880
Instruction ID: b2c5aa13de8ac91f21280381659b4fa8bab7e23f3ea33ee155e99dcb8f102e7d
Opcode Fuzzy Hash: e7555075ba1cc060057c86679b5f74449dc5d35ec1d200f814287566d9f8f880
Instruction Fuzzy Hash: CC014CBF64C2487E6246E195332DAFE7F6AE6C73317304166F50395402E1D4065A9A70

Function 05070051 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4153162404.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd23369a7b990163385d15f32c70bfa9a3c297ba1dc47cfd192ffd95b48699d7
Instruction ID: 964e0cc6bac42af29e20fd7ad9513d3c07aced61065947c13cab31fd59818c09
Opcode Fuzzy Hash: bd23369a7b990163385d15f32c70bfa9a3c297ba1dc47cfd192ffd95b48699d7
Instruction Fuzzy Hash: 0A0145AF64C2187D7242E2912B2C9FEBFAEF5C3330730413AF50392503E2D409096A70

Function 05070060 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4153162404.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e50017cfa0cce0c2391c27415c9a81078126f6d6c3ffc78d3f1589c4eec7eb
Instruction ID: 8a01671db21b3ffca706c5bbe37372daf3de11a9be8e04d1688f435031c3ce66
Opcode Fuzzy Hash: 35e50017cfa0cce0c2391c27415c9a81078126f6d6c3ffc78d3f1589c4eec7eb
Instruction Fuzzy Hash: 2A0166BF64C2487EA246E2A5772D9FEBFAAE6C7330B304176F50396443E1D4065A9630

Function 05070087 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4153162404.0000000005070000.00000040.00001000.00020000.00000000.sdmp, Offset: 05070000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5070000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3c0d27172757ff1ab6cadf982b6d20828944ed742bc2bbe2444449556a9b14
Instruction ID: 26b56b32e6bcce55efbffd11459e72792cf01a1def43a63e63e1f410925d4597
Opcode Fuzzy Hash: dd3c0d27172757ff1ab6cadf982b6d20828944ed742bc2bbe2444449556a9b14
Instruction Fuzzy Hash: 1A0170BBA4D2587E678396D136688FD7F96E9C733073441A5F14249402D1D4055A9B31

Non-executed Functions

Function 00B084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: b36872ecee027f9b2e13e39631d5047c33f18f73355c9767f5dbf65828867afd
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: CD023C71E012199FDF14CFA9C8806AEBBF1FF48314F2582A9D559A7381DB31AA41CB90

Function 00A8F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8F833
std::_Lockit::_Lockit.LIBCPMT ref: 00A8F855
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8F875
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8F89F
std::_Lockit::_Lockit.LIBCPMT ref: 00A8F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A8F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A8F973
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8FA08
std::_Facet_Register.LIBCPMT ref: 00A8FA15

Strings

Ps, xrefs: 00A8F96B, 00A8F972
bad locale name, xrefs: 00A8FA2F

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$Ps
API String ID: 3375549084-1174896957
Opcode ID: 85677738708a11aaa5536fc60d48c91c86dfe125da6f352c0110fd4ca171b247
Instruction ID: 5974b296e22c07219ceef40324bc785aea48628a4af3d3b1fddda3ce0cfdd4f8
Opcode Fuzzy Hash: 85677738708a11aaa5536fc60d48c91c86dfe125da6f352c0110fd4ca171b247
Instruction Fuzzy Hash: 54618F71E002099FEF11EFA4D945BAEBBF4AF14310F1440A8E805AB391EB74ED05CBA1

Function 00A239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A23A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A23AA4
__Getctype.LIBCPMT ref: 00A23ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A23AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00A23B7B

Strings

bad locale name, xrefs: 00A23B96

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 74e65b7e673854d32779c1f51adf772b879d26921c27c9682b210d0a3a5cd52a
Instruction ID: 479f40d9e70d441b03722aa1bd24390058f5274e4fdd8c59803a4aeff71e7b9a
Opcode Fuzzy Hash: 74e65b7e673854d32779c1f51adf772b879d26921c27c9682b210d0a3a5cd52a
Instruction Fuzzy Hash: 755141B2D012589FDF10DFE8D945B9EBBF8AF15310F144069E909AB381E779DA04CB91

Function 00B02E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B02E47
___except_validate_context_record.LIBVCRUNTIME ref: 00B02E4F
_ValidateLocalCookies.LIBCMT ref: 00B02ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B02F03
_ValidateLocalCookies.LIBCMT ref: 00B02F58

Strings

csm, xrefs: 00B02EED

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: de9b0beaf0c31a1849f1b1de3cbfb95ff9c819868aea62588a721d15b04d0c63
Instruction ID: 044add508d373b559c9799e984781c5974994fb66bd76a9c56fde9910f1886db
Opcode Fuzzy Hash: de9b0beaf0c31a1849f1b1de3cbfb95ff9c819868aea62588a721d15b04d0c63
Instruction Fuzzy Hash: C8418234A002099BCF10DF68C889A9EBFF5EF45354F1481E5E9189B3D2D731AE59CB91

Function 00A8DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8DE93
std::_Lockit::_Lockit.LIBCPMT ref: 00A8DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8DED6
std::_Facet_Register.LIBCPMT ref: 00A8DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8DF63
Concurrency::cancel_current_task.LIBCPMT ref: 00A8DF7B

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 7815a26a62ced9cc1d764f18a0e433352cc5e78e41fa278eb2a25910f52ba060
Instruction ID: aa84ed0369359858202eb05785f489729111ed1578c4f501208826498a4b7252
Opcode Fuzzy Hash: 7815a26a62ced9cc1d764f18a0e433352cc5e78e41fa278eb2a25910f52ba060
Instruction Fuzzy Hash: 0641E2719002199FCB15EF98E941BAEBBB4FF05720F144269F9169B392DB31AD00CBD1

Function 00A24C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00A24F72
___std_exception_destroy.LIBVCRUNTIME ref: 00A24FFF
___std_exception_copy.LIBVCRUNTIME ref: 00A250C8

Strings

recursive_directory_iterator::operator++, xrefs: 00A2504C

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 433eaa9924e5ea96df7bad2a806208e7f28bc10f3e5cac5d86dbf5318dc499ef
Instruction ID: 7bc7670565e4c664d09267f64286b274b2fed6e87ee07c9e9e45033acb4c1696
Opcode Fuzzy Hash: 433eaa9924e5ea96df7bad2a806208e7f28bc10f3e5cac5d86dbf5318dc499ef
Instruction Fuzzy Hash: 0BE126719002149FDB28DF68E945BAEFBF9FF48700F108A2DE45697781E774A904CBA1

Function 00A27820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A2799A
___std_exception_copy.LIBVCRUNTIME ref: 00A27B75

Strings

out_of_range, xrefs: 00A27A27
type_error, xrefs: 00A2784A

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: c6a4f167d4544579af9cf17a68f4c11f5f18efadc715fd545f60574130c1bf44
Instruction ID: 8249b16e414a9b00cabd117bfc2b77ec49489fa8438d1a8c0db7d0fb0361b50f
Opcode Fuzzy Hash: c6a4f167d4544579af9cf17a68f4c11f5f18efadc715fd545f60574130c1bf44
Instruction Fuzzy Hash: 8FC168B19002189FDB18CFACE984B9DBBF1FF49310F148669E419EB791E7749A80CB51

Function 00A273B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00A275BE
___std_exception_destroy.LIBVCRUNTIME ref: 00A275CD

Strings

at line , xrefs: 00A273F7
, column , xrefs: 00A27434, 00A2744A

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: e443bb6603405c4ef2fcb47cd30f78f8495b6f4a7d9d35eb2c713d27f2c67488
Instruction ID: 3facbc8b6b9659cc5a3b40a7dc53187ee8bec303fe0b93fd58db1306d8d68f0d
Opcode Fuzzy Hash: e443bb6603405c4ef2fcb47cd30f78f8495b6f4a7d9d35eb2c713d27f2c67488
Instruction Fuzzy Hash: 0561D171A042199FDB08DF68ED85BADBBB6FF49300F244668E415A7B81D774AA408B90

Function 00A23D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A23E7F

Strings

ios_base::badbit set, xrefs: 00A23E17
ios_base::failbit set, xrefs: 00A23D32
ios_base::eofbit set, xrefs: 00A23E41, 00A23E63

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 46c5e69cfa72c0f8b2ece5bbebf8024a1e3c44dffe1bbeaa2a6dba273868ec52
Instruction ID: 67546f197f3e11b98936be54c3cee34a6c83147bb74e58729a84502d60d2e73f
Opcode Fuzzy Hash: 46c5e69cfa72c0f8b2ece5bbebf8024a1e3c44dffe1bbeaa2a6dba273868ec52
Instruction Fuzzy Hash: BB41D8B2900214AFCB14DF5CD845BAEBBF8EF49710F14857AF919E7741E774AA048BA0

Function 00A23DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A23E7F

Strings

ios_base::badbit set, xrefs: 00A23E17
ios_base::failbit set, xrefs: 00A23D32, 00A23E1E
ios_base::eofbit set, xrefs: 00A23E28, 00A23E41, 00A23E63

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c7e352f8c7829c4aa3731c036376889265933d0bc91bf71a7a2c10ad613fe142
Instruction ID: 075e09200c7e0ff3f113926b7b8cc7257ebc2ed375f766e92b029fbac1115e34
Opcode Fuzzy Hash: c7e352f8c7829c4aa3731c036376889265933d0bc91bf71a7a2c10ad613fe142
Instruction Fuzzy Hash: 3921EBB39003156FCB14EF5CE805BA6B7F8AF05310F18887AFA6897641E774EA14CB95

Function 00A26F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A27340

Strings

parse error, xrefs: 00A26FFF, 00A27018
parse_error, xrefs: 00A26F8B

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: 11ccaa8c6ebb6a61c6e46303caf5fb4812212a756c602575f674647510076497
Instruction ID: f16de575762f1d08cafc519b6641e8dee7674a5916db6d504cfeb3f819a43f06
Opcode Fuzzy Hash: 11ccaa8c6ebb6a61c6e46303caf5fb4812212a756c602575f674647510076497
Instruction Fuzzy Hash: 8BE160709042188FDB18CF68D985B9DBBF1FF49300F2482A9E419EB792D7749A85CF51

Function 00A26C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00A26F11
___std_exception_destroy.LIBVCRUNTIME ref: 00A26F20

Strings

[json.exception., xrefs: 00A26CB8

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 68304d1e9aa675b444076e5cccc6eb4774de033f66e11ff63697c237b314d1fa
Instruction ID: 2ace2e93c2d10f4cf5238c2f0110c62c2117403875e2d56bd185a894a95a7433
Opcode Fuzzy Hash: 68304d1e9aa675b444076e5cccc6eb4774de033f66e11ff63697c237b314d1fa
Instruction Fuzzy Hash: 9391C570A012189FDB18CF6CD984B9EBBF6FF49300F20856DE415AB792D775A941CB50

Function 00A9E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A9E491

Strings

type must be boolean, but is , xrefs: 00A9E582
type must be string, but is , xrefs: 00A9E4F8

Memory Dump Source

Source File: 00000005.00000002.4145805846.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000005.00000002.4145770328.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145805846.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145971849.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4145995268.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147443008.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4147804395.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: a36e9888bbe68c14138cbd4c6609129b146156e1ba4c066c2b53cef137eb5d62
Instruction ID: 064ee365e07999a85fb30b18bf8d3dab7f3e7649a1eb1350690e3812f0cb61ed
Opcode Fuzzy Hash: a36e9888bbe68c14138cbd4c6609129b146156e1ba4c066c2b53cef137eb5d62
Instruction Fuzzy Hash: CF415EB1A00248AFDB14EBA4E902B9EB7E8DB14710F1446B4F419D7792EB35EE44C792

Analysis Process: MPGPH131.exePID: 7356, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	0%
Total number of Nodes:	666
Total number of Limit Nodes:	71

Executed Functions

Function 00A83A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00A83DB6), ref: 00A83B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00A83DB6), ref: 00A83BBA

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 34eb4bc3a574a2c5498d8afeb74bad0247bd05aef50cff1fdef18f490ef6086a
Instruction ID: 6a2578f7545df6b8a253fb0eadcd3590c8e45e8d9c08f7173da4d0b8e9fd901c
Opcode Fuzzy Hash: 34eb4bc3a574a2c5498d8afeb74bad0247bd05aef50cff1fdef18f490ef6086a
Instruction Fuzzy Hash: FC51CC76A042198FCF28EF58C4D4EA9B7B1FF44B04B298599D845AF311D732EE05CB80

Function 00A3E0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00A3E0CB
socket.WS2_32(?,?,?), ref: 00A3E17F
connect.WS2_32(00000000,?,?), ref: 00A3E193
closesocket.WS2_32(00000000), ref: 00A3E19E

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: c13c6881eea145e856f8583b00b8354aa117361fcaf1ecb7db0dd638a8ffd312
Instruction ID: ae827200c55012319c5726a828ac9c1968c4935e2ea1e401aa69bdc5b1473048
Opcode Fuzzy Hash: c13c6881eea145e856f8583b00b8354aa117361fcaf1ecb7db0dd638a8ffd312
Instruction Fuzzy Hash: F431C172605311ABE720DF29DC4872BB7E4EB95734F004F1DF9A8A72D0D73599048BA2

Function 00B14623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e491a1974102469440201265bcf2b69b03271299a9ac5d9d3220a86be6861bc
Instruction ID: ae2a1035b4c320be05a89286311bd4f2df56639487e8cbe5274e71c26bfcd8dd
Opcode Fuzzy Hash: 1e491a1974102469440201265bcf2b69b03271299a9ac5d9d3220a86be6861bc
Instruction Fuzzy Hash: D7B1D370A04245AFDB11DFA8D881BEEBBF5EF46304F9441D8E544AB2D2CB709D82CB61

Function 00A2A210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00A2A343

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 2107716beb3caaeb489c8cb672c421214d74c3f2344db6e2f35bd12e672d8bd4
Instruction ID: 27fa3e3a824b522ceb722732df4dfa13ad814aae474bc09b931aff32acfe831d
Opcode Fuzzy Hash: 2107716beb3caaeb489c8cb672c421214d74c3f2344db6e2f35bd12e672d8bd4
Instruction Fuzzy Hash: E6713671900214AFDB14DF6CEC49BAEBBE8EF41700F1085ADF8099B682D7B5DA418792

Function 00B1549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00B09087,?,00000000,00000000,00000000,?,00000000,?,00A2A3EB,00B09087,00000000,00A2A3EB,?,?), ref: 00B15621

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2c4e7291e69e530703ed9b8fb802cbb41bbe530bb6a42622cf2e86746a9e4095
Instruction ID: 6deb1a2228be82d1a99bea1c33bec47dd39c2b46d1e1933636b33f7598c0f4c4
Opcode Fuzzy Hash: 2c4e7291e69e530703ed9b8fb802cbb41bbe530bb6a42622cf2e86746a9e4095
Instruction Fuzzy Hash: B861A171900519EFDF21DFA8C884EEEBBFAEF99304F9401C5E804A7255D775DA818BA0

Function 05590265 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0559026E

Memory Dump Source

Source File: 00000006.00000002.4153674973.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5590000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c350eed173f9484ed697c54c0be256f93644a4ce9f34049a787886fb40594132
Instruction ID: 599d11f5a8ed63d8c22c38ec653171bb42c7203404ea4401b6a0e8b3afe561e4
Opcode Fuzzy Hash: c350eed173f9484ed697c54c0be256f93644a4ce9f34049a787886fb40594132
Instruction Fuzzy Hash: EA31E5E710C121BDBE49D1952B68AF7676FF6D27307318C2BF80BC65A2E39C4A4940B1

Function 00B04942 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a66a76805cb1cdfe67d827dc33810e92775d23ac94a8e1b1f0d9303fe48d9589
Instruction ID: d95b735c852b77f9497c557fc0eaa37f114cc707a5c9b2b13344ef91c7e86b56
Opcode Fuzzy Hash: a66a76805cb1cdfe67d827dc33810e92775d23ac94a8e1b1f0d9303fe48d9589
Instruction Fuzzy Hash: D551A7B0B00208AFDF14CF58CC85AAA7FF5EF45354F248198F9499B292D3719E41CB94

Function 00A90560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A906AE

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 3ced867fdc23f4da8080688d01e28476eb7b291a2c70bcccc270a4040337e8a7
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: AF410372A001189FCF15EF68DD80AAE7BE5AF89380F1541A9F905EB342D770DD209BE1

Function 00B14B12 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00B149F9,00000000,CF830579,00B51140,0000000C,00B14AB5,00B08BBD,?), ref: 00B14B68

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: da726f92038f32a88c97c5b675a5d40f20a3d73fa3e6ce0047f95dab7679f814
Instruction ID: b2cc99f95b912349ae927e614c3dc3152ff49a96074a327204e0708cd5ac8b63
Opcode Fuzzy Hash: da726f92038f32a88c97c5b675a5d40f20a3d73fa3e6ce0047f95dab7679f814
Instruction Fuzzy Hash: DB114433A4922416D6242674A845BFF77D9CB827B0FB902CDF8088B0C2EF60F8C25155

Function 00B0E05C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00B50DF8,00A2A3EB,00000002,00A2A3EB,00000000,?,?,?,00B0E166,00000000,?,00A2A3EB,00000002,00B50DF8), ref: 00B0E098

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f6aeec18fb61651c7c633c014155d71b755f73910b85c4dc4f33ceb1529b37a7
Instruction ID: 38d21af2223b360aff4b3d87bab5d08debf3d4f616f0421a66d914fec239ec28
Opcode Fuzzy Hash: f6aeec18fb61651c7c633c014155d71b755f73910b85c4dc4f33ceb1529b37a7
Instruction Fuzzy Hash: FB01D632614215AFCF159F59CC46C9E3FAADB81320B240689F8A09B2D1FAB1ED41DBD0

Function 00AFF290 Relevance: 1.6, APIs: 1, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A2220E

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 5cafe8bfb2d3bcea12107c62a93f18105c9add137713c81c5c2a060ea11ac3a3
Instruction ID: 79f8b9c1d30464d9308d5327f2deb359ddcdac209f3203315d5acd858aebf106
Opcode Fuzzy Hash: 5cafe8bfb2d3bcea12107c62a93f18105c9add137713c81c5c2a060ea11ac3a3
Instruction Fuzzy Hash: A301DB7650030DBBCB14AFD8E801AA97BECDE00310F508575FB1CDB691E770E9548791

Function 00B163F3 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00B091F7,00000000,?,00B15D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00B0D244,00B089C3,00B091F7,00000000), ref: 00B16434

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f9b7cb1e82295501ef5d8dcf885e7fa1ca8161beaec2feb89a21e95a4daad543
Instruction ID: 59ef0b6240c4488ee893e934ea2466738870c649178104c431c883da00793057
Opcode Fuzzy Hash: f9b7cb1e82295501ef5d8dcf885e7fa1ca8161beaec2feb89a21e95a4daad543
Instruction Fuzzy Hash: BFF0893254522466DB216B66DC17BDB7BC9EF41B64BA580E5BC04A73D0CF30EC9186F1

Function 00B16E2D Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00B1D635,4D88C033,?,00B1D635,00000220,?,00B157EF,4D88C033), ref: 00B16E5F

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2e782990140c1738193b61aa501f0c48256bfe3f1f6da202176a2eccde4f56e9
Instruction ID: ce7572f552d3fc374cdf44185deadfe252e76fd786c7ff1d9d1bc52f1f2b9514
Opcode Fuzzy Hash: 2e782990140c1738193b61aa501f0c48256bfe3f1f6da202176a2eccde4f56e9
Instruction Fuzzy Hash: AAE0ED3B14162166DE3022A5EC01BDBBBCCDF927A0FD603E1BC04A20E0CF20CC8085A4

Non-executed Functions

Function 00B084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: b36872ecee027f9b2e13e39631d5047c33f18f73355c9767f5dbf65828867afd
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: CD023C71E012199FDF14CFA9C8806AEBBF1FF48314F2582A9D559A7381DB31AA41CB90

Function 00A8F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8F833
std::_Lockit::_Lockit.LIBCPMT ref: 00A8F855
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8F875
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8F89F
std::_Lockit::_Lockit.LIBCPMT ref: 00A8F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A8F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A8F973
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8FA08
std::_Facet_Register.LIBCPMT ref: 00A8FA15

Strings

Ps, xrefs: 00A8F96B, 00A8F972
bad locale name, xrefs: 00A8FA2F

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$Ps
API String ID: 3375549084-1174896957
Opcode ID: 85677738708a11aaa5536fc60d48c91c86dfe125da6f352c0110fd4ca171b247
Instruction ID: 5974b296e22c07219ceef40324bc785aea48628a4af3d3b1fddda3ce0cfdd4f8
Opcode Fuzzy Hash: 85677738708a11aaa5536fc60d48c91c86dfe125da6f352c0110fd4ca171b247
Instruction Fuzzy Hash: 54618F71E002099FEF11EFA4D945BAEBBF4AF14310F1440A8E805AB391EB74ED05CBA1

Function 00A239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A23A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A23AA4
__Getctype.LIBCPMT ref: 00A23ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A23AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00A23B7B

Strings

bad locale name, xrefs: 00A23B96

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 74e65b7e673854d32779c1f51adf772b879d26921c27c9682b210d0a3a5cd52a
Instruction ID: 479f40d9e70d441b03722aa1bd24390058f5274e4fdd8c59803a4aeff71e7b9a
Opcode Fuzzy Hash: 74e65b7e673854d32779c1f51adf772b879d26921c27c9682b210d0a3a5cd52a
Instruction Fuzzy Hash: 755141B2D012589FDF10DFE8D945B9EBBF8AF15310F144069E909AB381E779DA04CB91

Function 00B02E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B02E47
___except_validate_context_record.LIBVCRUNTIME ref: 00B02E4F
_ValidateLocalCookies.LIBCMT ref: 00B02ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B02F03
_ValidateLocalCookies.LIBCMT ref: 00B02F58

Strings

csm, xrefs: 00B02EED

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: de9b0beaf0c31a1849f1b1de3cbfb95ff9c819868aea62588a721d15b04d0c63
Instruction ID: 044add508d373b559c9799e984781c5974994fb66bd76a9c56fde9910f1886db
Opcode Fuzzy Hash: de9b0beaf0c31a1849f1b1de3cbfb95ff9c819868aea62588a721d15b04d0c63
Instruction Fuzzy Hash: C8418234A002099BCF10DF68C889A9EBFF5EF45354F1481E5E9189B3D2D731AE59CB91

Function 00A8DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00A8DE93
std::_Lockit::_Lockit.LIBCPMT ref: 00A8DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8DED6
std::_Facet_Register.LIBCPMT ref: 00A8DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 00A8DF63
Concurrency::cancel_current_task.LIBCPMT ref: 00A8DF7B

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 7815a26a62ced9cc1d764f18a0e433352cc5e78e41fa278eb2a25910f52ba060
Instruction ID: aa84ed0369359858202eb05785f489729111ed1578c4f501208826498a4b7252
Opcode Fuzzy Hash: 7815a26a62ced9cc1d764f18a0e433352cc5e78e41fa278eb2a25910f52ba060
Instruction Fuzzy Hash: 0641E2719002199FCB15EF98E941BAEBBB4FF05720F144269F9169B392DB31AD00CBD1

Function 00A24C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00A24F72
___std_exception_destroy.LIBVCRUNTIME ref: 00A24FFF
___std_exception_copy.LIBVCRUNTIME ref: 00A250C8

Strings

recursive_directory_iterator::operator++, xrefs: 00A2504C

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 433eaa9924e5ea96df7bad2a806208e7f28bc10f3e5cac5d86dbf5318dc499ef
Instruction ID: 7bc7670565e4c664d09267f64286b274b2fed6e87ee07c9e9e45033acb4c1696
Opcode Fuzzy Hash: 433eaa9924e5ea96df7bad2a806208e7f28bc10f3e5cac5d86dbf5318dc499ef
Instruction Fuzzy Hash: 0BE126719002149FDB28DF68E945BAEFBF9FF48700F108A2DE45697781E774A904CBA1

Function 00A27820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A2799A
___std_exception_copy.LIBVCRUNTIME ref: 00A27B75

Strings

out_of_range, xrefs: 00A27A27
type_error, xrefs: 00A2784A

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: c6a4f167d4544579af9cf17a68f4c11f5f18efadc715fd545f60574130c1bf44
Instruction ID: 8249b16e414a9b00cabd117bfc2b77ec49489fa8438d1a8c0db7d0fb0361b50f
Opcode Fuzzy Hash: c6a4f167d4544579af9cf17a68f4c11f5f18efadc715fd545f60574130c1bf44
Instruction Fuzzy Hash: 8FC168B19002189FDB18CFACE984B9DBBF1FF49310F148669E419EB791E7749A80CB51

Function 00A273B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00A275BE
___std_exception_destroy.LIBVCRUNTIME ref: 00A275CD

Strings

at line , xrefs: 00A273F7
, column , xrefs: 00A27434, 00A2744A

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: e443bb6603405c4ef2fcb47cd30f78f8495b6f4a7d9d35eb2c713d27f2c67488
Instruction ID: 3facbc8b6b9659cc5a3b40a7dc53187ee8bec303fe0b93fd58db1306d8d68f0d
Opcode Fuzzy Hash: e443bb6603405c4ef2fcb47cd30f78f8495b6f4a7d9d35eb2c713d27f2c67488
Instruction Fuzzy Hash: 0561D171A042199FDB08DF68ED85BADBBB6FF49300F244668E415A7B81D774AA408B90

Function 00A23D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A23E7F

Strings

ios_base::failbit set, xrefs: 00A23D32
ios_base::eofbit set, xrefs: 00A23E41, 00A23E63
ios_base::badbit set, xrefs: 00A23E17

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 46c5e69cfa72c0f8b2ece5bbebf8024a1e3c44dffe1bbeaa2a6dba273868ec52
Instruction ID: 67546f197f3e11b98936be54c3cee34a6c83147bb74e58729a84502d60d2e73f
Opcode Fuzzy Hash: 46c5e69cfa72c0f8b2ece5bbebf8024a1e3c44dffe1bbeaa2a6dba273868ec52
Instruction Fuzzy Hash: BB41D8B2900214AFCB14DF5CD845BAEBBF8EF49710F14857AF919E7741E774AA048BA0

Function 00A23DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A23E7F

Strings

ios_base::failbit set, xrefs: 00A23D32, 00A23E1E
ios_base::eofbit set, xrefs: 00A23E28, 00A23E41, 00A23E63
ios_base::badbit set, xrefs: 00A23E17

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c7e352f8c7829c4aa3731c036376889265933d0bc91bf71a7a2c10ad613fe142
Instruction ID: 075e09200c7e0ff3f113926b7b8cc7257ebc2ed375f766e92b029fbac1115e34
Opcode Fuzzy Hash: c7e352f8c7829c4aa3731c036376889265933d0bc91bf71a7a2c10ad613fe142
Instruction Fuzzy Hash: 3921EBB39003156FCB14EF5CE805BA6B7F8AF05310F18887AFA6897641E774EA14CB95

Function 00A26F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00A27340

Strings

parse_error, xrefs: 00A26F8B
parse error, xrefs: 00A26FFF, 00A27018

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: 11ccaa8c6ebb6a61c6e46303caf5fb4812212a756c602575f674647510076497
Instruction ID: f16de575762f1d08cafc519b6641e8dee7674a5916db6d504cfeb3f819a43f06
Opcode Fuzzy Hash: 11ccaa8c6ebb6a61c6e46303caf5fb4812212a756c602575f674647510076497
Instruction Fuzzy Hash: 8BE160709042188FDB18CF68D985B9DBBF1FF49300F2482A9E419EB792D7749A85CF51

Function 00A26C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00A26F11
___std_exception_destroy.LIBVCRUNTIME ref: 00A26F20

Strings

[json.exception., xrefs: 00A26CB8

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 68304d1e9aa675b444076e5cccc6eb4774de033f66e11ff63697c237b314d1fa
Instruction ID: 2ace2e93c2d10f4cf5238c2f0110c62c2117403875e2d56bd185a894a95a7433
Opcode Fuzzy Hash: 68304d1e9aa675b444076e5cccc6eb4774de033f66e11ff63697c237b314d1fa
Instruction Fuzzy Hash: 9391C570A012189FDB18CF6CD984B9EBBF6FF49300F20856DE415AB792D775A941CB50

Function 00A9E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00A9E491

Strings

type must be boolean, but is , xrefs: 00A9E582
type must be string, but is , xrefs: 00A9E4F8

Memory Dump Source

Source File: 00000006.00000002.4145632604.0000000000A21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A20000, based on PE: true

Associated: 00000006.00000002.4145594627.0000000000A20000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145632604.0000000000B53000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145815751.0000000000B58000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000B5C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000CE5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000DCB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E00000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E0C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4145840458.0000000000E1A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4146294218.0000000000E1B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4147456894.0000000000FC2000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_a20000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: a36e9888bbe68c14138cbd4c6609129b146156e1ba4c066c2b53cef137eb5d62
Instruction ID: 064ee365e07999a85fb30b18bf8d3dab7f3e7649a1eb1350690e3812f0cb61ed
Opcode Fuzzy Hash: a36e9888bbe68c14138cbd4c6609129b146156e1ba4c066c2b53cef137eb5d62
Instruction Fuzzy Hash: CF415EB1A00248AFDB14EBA4E902B9EB7E8DB14710F1446B4F419D7792EB35EE44C792

Analysis Process: RageMP131.exePID: 7644, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	0%
Total number of Nodes:	535
Total number of Limit Nodes:	64

Executed Functions

Function 00323A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00323DB6), ref: 00323B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00323DB6), ref: 00323BBA

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3474705ba0b5ded6ac0d7a181e8ab92046dac25ddf2e8eb16796a96b47921138
Instruction ID: 3625aa647ecdea9a6bf72388af7d0c9ff623ae441a64524262457d2ebefeec45
Opcode Fuzzy Hash: 3474705ba0b5ded6ac0d7a181e8ab92046dac25ddf2e8eb16796a96b47921138
Instruction Fuzzy Hash: AD51DB35A042298FCB26CF48D8D0EAAB7B5FF48704F2A45AAD445AF311D735EE05CB80

Function 050E0A5D Relevance: 1.6, APIs: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e356178eeefc4597194558fc3d776a3a60dc8ae5721b4d64da1ea73fba789c1c
Instruction ID: ed50e365c4108a2014e8888872ff243e81a309b923afdb4ed422409aca9b2441
Opcode Fuzzy Hash: e356178eeefc4597194558fc3d776a3a60dc8ae5721b4d64da1ea73fba789c1c
Instruction Fuzzy Hash: 0121D4A660D119ADE242C2113E79AFE67AFF6DA7307388466F40BE2605D2D40A895131

Function 002DE0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002DE0CB
socket.WS2_32(?,?,?), ref: 002DE17F
connect.WS2_32(00000000,?,?), ref: 002DE193
closesocket.WS2_32(00000000), ref: 002DE19E

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 72c13cd8eccc0e5a51a749fd4154eb507656569d51edd7ba5db4a4780cc80463
Instruction ID: 2efa72ecf63d3668d59b70372f0ea50c8ca33f8dda6aa7789ebec43c6cb0755f
Opcode Fuzzy Hash: 72c13cd8eccc0e5a51a749fd4154eb507656569d51edd7ba5db4a4780cc80463
Instruction Fuzzy Hash: A831D4712153016BDB209F288848B2BB7E4EB86734F010F1EF9A8A62D0D335DD148BA2

Function 0039F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C220E

Strings

`!,, xrefs: 002C2216
`!,, xrefs: 002C21FC

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: b98c0836f34af107737a736fb2a735cc9b8bd2b82c2110377a4073ac3ac69d35
Instruction ID: b57cb395a27a42587f7a4215873edfaa2b57a53ff93080de2b9c04a48af21253
Opcode Fuzzy Hash: b98c0836f34af107737a736fb2a735cc9b8bd2b82c2110377a4073ac3ac69d35
Instruction Fuzzy Hash: 8E012B7950030DAFCF1AAF98E802E9977ACDA01310B548539FA59DF991EB70E9548790

Function 003A4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O:, xrefs: 003A4A93, 003A4A61, 003A4AAB, 003A4AC7

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: O:
API String ID: 0-1127995068
Opcode ID: 8ed38200a054be15eb2fd55e798bacc87c6ec1d92598dd95a83dc30ca6f77a59
Instruction ID: 505034c5702062155f2dbba11dd310682df43c0c5f60d6e4eff5772046c36150
Opcode Fuzzy Hash: 8ed38200a054be15eb2fd55e798bacc87c6ec1d92598dd95a83dc30ca6f77a59
Instruction Fuzzy Hash: 2D51C970A00108AFDF16CF58CC45AAABFF5EF8A354F258158F8499B252D3B1DE51CB94

Function 003B4623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79504544eb9453dba6312337a5fa147f30054e394b6233fe122bc66c4724efc7
Instruction ID: da14436355e68fc8b4143af12857a8153149df9fe92b224816b7d50e76981203
Opcode Fuzzy Hash: 79504544eb9453dba6312337a5fa147f30054e394b6233fe122bc66c4724efc7
Instruction Fuzzy Hash: 82B11170A04249AFDB13DFA8D841BFEBBB5EF46308F154158E641ABA83C7719D41CB68

Function 002CA210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 002CA343

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 12be30bbab5b9742c08f96a78177a5330c361607c5c209745953888d19f400a9
Instruction ID: 41dfdf3f8dc952150cb8320164db988f2eaff2855e3ba57d8abd100d89177555
Opcode Fuzzy Hash: 12be30bbab5b9742c08f96a78177a5330c361607c5c209745953888d19f400a9
Instruction Fuzzy Hash: 21716870910248AFDB19DF68DC49FAFB7E8EF42304F10866DF8099B282D7B59941C792

Function 003B549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,003A9087,?,00000000,00000000,00000000,?,00000000,?,002CA3EB,003A9087,00000000,002CA3EB,?,?), ref: 003B5621

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fdff6189ff75fb097df4227b5174733eadd6494a1a850bdaf4c7fc12d5dcfadc
Instruction ID: ebd295c15b8830ab3da7d54180cef05ae6cd90172642c05e5a346491e97c205f
Opcode Fuzzy Hash: fdff6189ff75fb097df4227b5174733eadd6494a1a850bdaf4c7fc12d5dcfadc
Instruction Fuzzy Hash: 0161C371D00519AFDF12DFA8C884FFEBBBAAF59308F150145EA40AB655D372D901CBA0

Function 050E09CF Relevance: 1.6, APIs: 1, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 64a7917ddad0f100956176b2ab94be277aa8e10f9f679d11a6cb5f03ef60c03c
Instruction ID: f0d22bc79cdbbe5fd081de6eb386e0c18d8c5e707b15e26e6b77f91278bb1566
Opcode Fuzzy Hash: 64a7917ddad0f100956176b2ab94be277aa8e10f9f679d11a6cb5f03ef60c03c
Instruction Fuzzy Hash: E2215CEB64D119BCA212C1423B79EFE676FE6D67347388477F407D6506D2C40A8A5131

Function 00330560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 003306AE

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: ecc22976a83301610031e09e5ea3c49feecf00cf758957440164320a3e431bee
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: 6B41F672A041149FCB1ADF68D99166E7BA9EF89310F150269FC05EB305D770DD608BE1

Function 050E09FC Relevance: 1.6, APIs: 1, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ae824611690113cb59a1cc160dd9d717098bca4d9c36d2b101fdafa774a98689
Instruction ID: f167204bc76cc7979a6704c920ea9acbf39e99af9c80af919b73fc7d385912c0
Opcode Fuzzy Hash: ae824611690113cb59a1cc160dd9d717098bca4d9c36d2b101fdafa774a98689
Instruction Fuzzy Hash: B021D2F660D11ABCA212C5563F79EFF67AFE2DA7307348426F41BE2505D2D40A895131

Function 050E0A1A Relevance: 1.6, APIs: 1, Instructions: 112
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f2beb40197afe89dfcf694164d2830f6279d91baa277692c26a0652adb381580
Instruction ID: 6bb80c44da85540918fbe0aba0eb70b6e642813859b5f54cdfa7be20859f8164
Opcode Fuzzy Hash: f2beb40197afe89dfcf694164d2830f6279d91baa277692c26a0652adb381580
Instruction Fuzzy Hash: 0021B4F764D02ABCA252C1453B79EFE67AFF6DA7307388466B40BE6605D2C40B8A5131

Function 050E0A4F Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b5ee4ac652893e5a480f04d0878758f0b983dd488556854cf6734d58ebfeb6bb
Instruction ID: 020da0c64580eb75e77b8ad5caaf9d950563348cf9bc3b38b7f8fe525a2c2829
Opcode Fuzzy Hash: b5ee4ac652893e5a480f04d0878758f0b983dd488556854cf6734d58ebfeb6bb
Instruction Fuzzy Hash: 0C11C1B760D12AECA202C1463F79EFF67AFE6DA7307348466B407D2615D3C40A896531

Function 050E0AE6 Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 253d284f5e7ad1ba7c4e40768836b8ca58217698409c8adc3972b20ffbbde7e9
Instruction ID: cbb71d9be3f6e77996f78a02a8b26a9e4bae30a9b3516111b58cfbcf5cb068d4
Opcode Fuzzy Hash: 253d284f5e7ad1ba7c4e40768836b8ca58217698409c8adc3972b20ffbbde7e9
Instruction Fuzzy Hash: F21138E620C111ADF602C2153F7DEFE6BAFE6DA334334446BF447D6606D6C40A8A9131

Function 050E0A7D Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ca7c5d443b08a6344d779bf14eed227cc752d1111630e253dc0c475cede90eeb
Instruction ID: d2d4837acc834e8ae8cdf7ab3ab8cd432010b104a4e539bee307f901fcfba5cc
Opcode Fuzzy Hash: ca7c5d443b08a6344d779bf14eed227cc752d1111630e253dc0c475cede90eeb
Instruction Fuzzy Hash: 8E11CEF620C029BCA202C1463F79EFF67AFE2D97347348466F80BE2905D3D40A895931

Function 050E0AB4 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 952af7b05a7b3907a40854ec090494ea7503195e5a7d87d59c7d2bdc4b0b37d7
Instruction ID: 4309c0869a8da916158d47be8aac5363ce4510bda8b76cb77f1c678acafdd212
Opcode Fuzzy Hash: 952af7b05a7b3907a40854ec090494ea7503195e5a7d87d59c7d2bdc4b0b37d7
Instruction Fuzzy Hash: FE11C2F664C211BDA202C2653F38EFFAB6FE6DA7347348866B407E6116D2D40A895132

Function 050E0A86 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d5922c3c0ec478ed5b8321fbc172d937d71b89600f0798ce33fceb514478cb8a
Instruction ID: b6da9da81ff17ba95b0e825112ede1a327bccf69c91efea1776350671b5ff48e
Opcode Fuzzy Hash: d5922c3c0ec478ed5b8321fbc172d937d71b89600f0798ce33fceb514478cb8a
Instruction Fuzzy Hash: E711A1F620C126BCA202C6463F78EFF676FF6D97347348866B40BE2505D7D40A895631

Function 050E0A9F Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 99a4536b5182f1130127e567bd952c91547f2c8366efa3fe2b27cd61431193af
Instruction ID: 4997ad1cdfab122b26ec7f1b89f0b60feccb9da9da15505f5eb07ade9723e1bc
Opcode Fuzzy Hash: 99a4536b5182f1130127e567bd952c91547f2c8366efa3fe2b27cd61431193af
Instruction Fuzzy Hash: 6A11A1F620C115ADA216C6153E78EFFA76FE6D5734330882AF44BE1605D7D40A895531

Function 050E0B3F Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 361d5849515e16f1c3b34d3e13012c28ddcf3e035943824c96cceae8bc6a5a24
Instruction ID: b654026fde555b948323d0f9118ecde96fa84ac3e07d808d475c5ee57b3f3c1c
Opcode Fuzzy Hash: 361d5849515e16f1c3b34d3e13012c28ddcf3e035943824c96cceae8bc6a5a24
Instruction Fuzzy Hash: F3018CE264C022BCB506C1257E78EFF67AFF6C5738730882BF04BD2615E6D51A899532

Function 050E0B10 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050E0B2B

Memory Dump Source

Source File: 00000007.00000002.4154003797.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4b9df61f9f190ab86be6429b37f093ec9258c4ab6d3856c66afe0b40042a085f
Instruction ID: 13dc2d13e384560ff96630083670a0206122e042a92bd3107211552e3fa3cb22
Opcode Fuzzy Hash: 4b9df61f9f190ab86be6429b37f093ec9258c4ab6d3856c66afe0b40042a085f
Instruction Fuzzy Hash: 8B018FE660C111ADB602C2553F34EFF6B6EE6D5B30730886BF407D2519D2944E895172

Function 003B4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003B49F9,00000000,CF830579,003F1140,0000000C,003B4AB5,003A8BBD,?), ref: 003B4B68

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: fff2aa4a1c9f725e6408a5bada54437f282138d253e7aaf41bee23da29bafd97
Instruction ID: 42c73e7d8de935b33e7e9d2b65723dee775c54ed73c20c87ccfbab07185c2276
Opcode Fuzzy Hash: fff2aa4a1c9f725e6408a5bada54437f282138d253e7aaf41bee23da29bafd97
Instruction Fuzzy Hash: 63114C32A4051416CA27A2746805BFE5B498BC277CF2B0209FB889BDC3EE60DC41429D

Function 003AE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,003F0DF8,002CA3EB,00000002,002CA3EB,00000000,?,?,?,003AE166,00000000,?,002CA3EB,00000002,003F0DF8), ref: 003AE098

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 68c8a78b53464149745752088994439ebc0a68bdef9cc5879acad293f8907830
Instruction ID: 0fc2ca94311086e1adc07c422d232b4bf378b3a989949e53891c5022f7b6e4e3
Opcode Fuzzy Hash: 68c8a78b53464149745752088994439ebc0a68bdef9cc5879acad293f8907830
Instruction Fuzzy Hash: CD01D632610515AFCF16DF6ADC05D9E3B29DB82324B250248F8919B2D1E6B1ED41CBD0

Function 003B63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003A91F7,00000000,?,003B5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,003AD244,003A89C3,003A91F7,00000000), ref: 003B6434

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2678cb5b31c5a0322a27ccfbc2e88bebfa24c4e27d98946444b0e0aad67befd8
Instruction ID: 4acdd90f581af4dfb00d46bd0567171c988701c64a0205525695f23803b5de7d
Opcode Fuzzy Hash: 2678cb5b31c5a0322a27ccfbc2e88bebfa24c4e27d98946444b0e0aad67befd8
Instruction Fuzzy Hash: 04F0B431505924679B236B639C03BDB3B4C9F8176CB268025AA05AAC82CE24DC0186E1

Function 003B6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,003BD635,4D88C033,?,003BD635,00000220,?,003B57EF,4D88C033), ref: 003B6E60

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a4d404628d4d44d3cda38a5ce1ff7b559f195bc8fd00819313ebd3c77fb8f0e5
Instruction ID: c398f954d106bc5601e8d7938234700b2a7fb90cd076246b8a5384e320de4b34
Opcode Fuzzy Hash: a4d404628d4d44d3cda38a5ce1ff7b559f195bc8fd00819313ebd3c77fb8f0e5
Instruction Fuzzy Hash: 70E0ED3910062266DA3322A5CE13BEB764CDF823A8F160520EF059AC92CF28C80087A4

Function 050F01B7 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cff440bf535c732e842f638483a3f77d512992c8373e7e0edf52beb7f51be5a6
Instruction ID: 95981c34e20f0560b93a11a98a32b1fb2e0fbedb3effa7f1183b1638f2201707
Opcode Fuzzy Hash: cff440bf535c732e842f638483a3f77d512992c8373e7e0edf52beb7f51be5a6
Instruction Fuzzy Hash: 42119DFB18C221BEA242D5427A68AFE6B6FE5C2370770842AF903C5D07E3D55A0D6231

Function 050F01BE Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09327ee46238bce886b8e127fe5efc11bfc13ce9ce9821a7ae9029250de48d30
Instruction ID: b7eabfdddd3546d36ef66d38ce60a5c136f18f8520672ac48059b7b1374e995a
Opcode Fuzzy Hash: 09327ee46238bce886b8e127fe5efc11bfc13ce9ce9821a7ae9029250de48d30
Instruction Fuzzy Hash: E01190BB148225BEA242D5427B68AFE6B6FE5C2330770842AF903C5D07D3D51A4D6231

Function 050F01CC Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bad878d99da823abe6a82538e861de55afa43e9c2b3f10f171d2e17815fdee49
Instruction ID: 428068b3f7b3d3ac6b363596ea301f7e62035b5891881a8606ef461a9b7e0f2f
Opcode Fuzzy Hash: bad878d99da823abe6a82538e861de55afa43e9c2b3f10f171d2e17815fdee49
Instruction Fuzzy Hash: A111AFBB148220BEA242D5427A68AFEAB6FE5C2330770803AF903C5D07D3D91A0D6271

Function 050F01D1 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cd4c11c4f9e908642bc503cbaa295779b32bfae1e45131daad18fc022d41813
Instruction ID: 9460d78b247874df00161a2cb4a3db41c24f03cc337a9333f75272a1dbed2ae4
Opcode Fuzzy Hash: 6cd4c11c4f9e908642bc503cbaa295779b32bfae1e45131daad18fc022d41813
Instruction Fuzzy Hash: 9311AFFB148220BEA642D5427B68AFEAB6FE5C2330774842AF503C5D07D3C91A1D6271

Function 050F01EE Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fde0085ef66bfcf5d78c4aed69a42e4b024607936f4c274611029a28ecd259a
Instruction ID: 654c25417b39db825a33b8faf7d65f94cae662f54ec1f4fe5ccac0ae5723ce6b
Opcode Fuzzy Hash: 7fde0085ef66bfcf5d78c4aed69a42e4b024607936f4c274611029a28ecd259a
Instruction Fuzzy Hash: 6D11B6FB14C110BEB242D1527A69AFFAB6FE6C27307708427F903C1D47D3951A596271

Function 050F0277 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a4894466b6947da169a4619b9ac8c8b76e415a740f02f5d02b5b70357c0248
Instruction ID: 3c2616291ba8a74133a05c2477c54e6f6c865e75076e7b709c90f6b847bd0e1c
Opcode Fuzzy Hash: c4a4894466b6947da169a4619b9ac8c8b76e415a740f02f5d02b5b70357c0248
Instruction Fuzzy Hash: DA01E1BB14C220EEA682E54276A96FE7B6BE6C23307708027F60385D0792942A596371

Function 050F023B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2435c248f2e7d5f6b9deb24751398713918425ac49f10296b4a05333b1f9257d
Instruction ID: 09a8da06986c9b1a5ef3af6f2db08c773759067a149a75bb1b3d4b51c18474b2
Opcode Fuzzy Hash: 2435c248f2e7d5f6b9deb24751398713918425ac49f10296b4a05333b1f9257d
Instruction Fuzzy Hash: 2EF0447A00C210DF8792E55271FD2FE3B57AB933307A0002AFA0349E03C6552A549360

Function 050F0261 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a876fad5a162737cc11c9d04b4819d7fe2082c528047384655414de5cf53bcc3
Instruction ID: 243908e820e87b0800e4a5cc4a282e7984d90859195f91e65da8e99f4a90845e
Opcode Fuzzy Hash: a876fad5a162737cc11c9d04b4819d7fe2082c528047384655414de5cf53bcc3
Instruction Fuzzy Hash: A2F059BA54C311CF8391F4A2A1FE2FE7F9BB6D33707B0002AF60346E43A284156153A1

Function 050F028E Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4154034651.00000000050F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_50f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 267bcfbe80478f446c4ecffe70e7e3c1e2c9cee89050743df7d3917cde8af3c1
Instruction ID: e16fff3e03aabb742eff8ce2b4c03ec011425b75444f35deff998b9f384a797d
Opcode Fuzzy Hash: 267bcfbe80478f446c4ecffe70e7e3c1e2c9cee89050743df7d3917cde8af3c1
Instruction Fuzzy Hash: 4DF0ECB7558225DB8352B49261EE2FD7B9B77973703F01029F20346E43928915655360

Non-executed Functions

Function 003A84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 98ccf139a8a4d5b6bb8807c094869e375602db42d7e2cc9e4b51a062b86e78b9
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: 54023B71E012199FDF15CFA9C8806AEBBF5FF49314F258269D919EB380DB31A9418B90

Function 0032F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0032F833
std::_Lockit::_Lockit.LIBCPMT ref: 0032F855
std::_Lockit::~_Lockit.LIBCPMT ref: 0032F875
std::_Lockit::~_Lockit.LIBCPMT ref: 0032F89F
std::_Lockit::_Lockit.LIBCPMT ref: 0032F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0032F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0032F973
std::_Lockit::~_Lockit.LIBCPMT ref: 0032FA08
std::_Facet_Register.LIBCPMT ref: 0032FA15

Strings

bad locale name, xrefs: 0032FA2F
">, xrefs: 0032F96B, 0032F972

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$">
API String ID: 3375549084-744497921
Opcode ID: c7da17e2bf791320939d8630616a2901d5bf520318ede485cf7a94a7ed8fbc3f
Instruction ID: 848c9dcfc6e38abb142eca5ef7d48ebf4a6ad53e006f9f76193b363c08ef0780
Opcode Fuzzy Hash: c7da17e2bf791320939d8630616a2901d5bf520318ede485cf7a94a7ed8fbc3f
Instruction Fuzzy Hash: 7361AFB1D00258DFEF12DFA4E845B9EBBB8AF14710F144178E805AB341EB35E905CBA1

Function 002C3D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C3E7F

Strings

@3,, xrefs: 002C3DBE, 002C3E9B
ios_base::badbit set, xrefs: 002C3E17
@3,, xrefs: 002C3E84
ios_base::failbit set, xrefs: 002C3D32
G>,, xrefs: 002C3D2B, 002C3D67, 002C3D6A
`!,, xrefs: 002C3E70
ios_base::eofbit set, xrefs: 002C3E41, 002C3E63
G>,, xrefs: 002C3DB8

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3,$@3,$G>,$G>,$`!,$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1824058124
Opcode ID: a35cf2be4074591dd225ef0c9b237d9c066734985f87b62e2c54f31530a43e87
Instruction ID: aeeac9620c634ed1c6b9437d40cc3da155b6658ad227f890d80c877a2f21427b
Opcode Fuzzy Hash: a35cf2be4074591dd225ef0c9b237d9c066734985f87b62e2c54f31530a43e87
Instruction Fuzzy Hash: 2E41A4B6910205AFCB05DF58C845FEEB7F9EF49310F14CA2EE915D7641E770AA118BA0

Function 003A2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003A2E47
___except_validate_context_record.LIBVCRUNTIME ref: 003A2E4F
_ValidateLocalCookies.LIBCMT ref: 003A2ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 003A2F03
_ValidateLocalCookies.LIBCMT ref: 003A2F58

Strings

csm, xrefs: 003A2EED
i?, xrefs: 003A2F78

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: i?$csm
API String ID: 1170836740-3060081385
Opcode ID: b9e9f749dd4044be8acf8585c0536db50f70d73dff611b0bdb3c5e5ccea10a1d
Instruction ID: 43d3631f161a9df51cda3f839ea66e15e4cb7b7f7bad89945d3594a441bd00bf
Opcode Fuzzy Hash: b9e9f749dd4044be8acf8585c0536db50f70d73dff611b0bdb3c5e5ccea10a1d
Instruction Fuzzy Hash: B3419F30A00209AFCF16DF6CC881E9FBBB5EF46314F148156E8149B252D731EE55CB90

Function 002C3DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C3E7F

Strings

@3,, xrefs: 002C3DBE, 002C3E9B
ios_base::badbit set, xrefs: 002C3E17
@3,, xrefs: 002C3E84
ios_base::failbit set, xrefs: 002C3D32, 002C3E1E
`!,, xrefs: 002C3E70
ios_base::eofbit set, xrefs: 002C3E28, 002C3E41, 002C3E63

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3,$@3,$`!,$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1830230726
Opcode ID: 1960a754fbad110628dced66654e132ba2cd72f953cb5f37d7ce7e5d525612c8
Instruction ID: 87725362fa75ff139afb592ef2ea42a8c091f2d3d20d449ca91a7eeba6559391
Opcode Fuzzy Hash: 1960a754fbad110628dced66654e132ba2cd72f953cb5f37d7ce7e5d525612c8
Instruction Fuzzy Hash: B921F3B69107056FC715DE58D805F96B7ECAF05310F08C92EFA69CB681E770EA208B90

Function 002C4C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002C4F72
___std_exception_destroy.LIBVCRUNTIME ref: 002C4FFF
___std_exception_copy.LIBVCRUNTIME ref: 002C50C8

Strings

@3,, xrefs: 002C50CD
`!,, xrefs: 002C4F6B, 002C4FF8, 002C50B9
recursive_directory_iterator::operator++, xrefs: 002C504C

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: @3,$`!,$recursive_directory_iterator::operator++
API String ID: 1206660477-4040103403
Opcode ID: 29114ef834047216d2e85d22071d2eefd040255a495451995457185fd9ee1277
Instruction ID: c3df36e84c3e6df68e54e6e440f886dd19e26bb34065404740834babd7423b67
Opcode Fuzzy Hash: 29114ef834047216d2e85d22071d2eefd040255a495451995457185fd9ee1277
Instruction Fuzzy Hash: B2E100719106049FCB29EF68D855BAFBBF9FF48300F108A2DE41697B81D774A914CBA1

Function 002C7820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C799A
___std_exception_copy.LIBVCRUNTIME ref: 002C7B75

Strings

`!,, xrefs: 002C79A5, 002C7B80
`!,, xrefs: 002C7985, 002C7B60
type_error, xrefs: 002C784A
out_of_range, xrefs: 002C7A27

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$out_of_range$type_error
API String ID: 2659868963-2346395918
Opcode ID: 89bcd8f281e8e30f4087adecd1507c6131f3705ee8ed7c3b278c332ff666381a
Instruction ID: d82aae48d67053eaf2eb3db1fcc2e54941fe058f4d4c60fd3960f3ccd8ccd8a0
Opcode Fuzzy Hash: 89bcd8f281e8e30f4087adecd1507c6131f3705ee8ed7c3b278c332ff666381a
Instruction Fuzzy Hash: 40C147B19002488FDB19CFA8D984B9EFBF5FB49300F14866DE419EB791E774A9808F50

Function 002C3190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C32C6
___std_exception_destroy.LIBVCRUNTIME ref: 002C3350

Strings

`!,, xrefs: 002C32D1
+4,, xrefs: 002C3190
@3,, xrefs: 002C3316
`!,, xrefs: 002C32AD, 002C3349

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4,$@3,$`!,$`!,
API String ID: 2970364248-3618221396
Opcode ID: 52d4f94a023961a687025cfeaf01a1f50f44adcf34dbe80784d60ca07c93c970
Instruction ID: fcff9a33369a1ccaff54f113f1dc1e9f7b487d1f19138f880c5f5b4d75ab2852
Opcode Fuzzy Hash: 52d4f94a023961a687025cfeaf01a1f50f44adcf34dbe80784d60ca07c93c970
Instruction Fuzzy Hash: F751BC71A102589FCB09CF98D885FEEBBB9FF49300F14862DE815E7381D770AA418B91

Function 002C39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002C3A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002C3AA4
__Getctype.LIBCPMT ref: 002C3ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002C3AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 002C3B7B

Strings

bad locale name, xrefs: 002C3B96

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: e36aa50c78bc88faadc7ffe906281f20477be9ed329a3cbfbe0a1c52ff1da6db
Instruction ID: ce7dde66f17cb8d015d71b1639d42a41b8527ce08a15aacfceb127d988bdb8cf
Opcode Fuzzy Hash: e36aa50c78bc88faadc7ffe906281f20477be9ed329a3cbfbe0a1c52ff1da6db
Instruction Fuzzy Hash: 2B5180B1D002089FEF11DFA4D845F8EBBB8EF14314F148569E809AB341E775DA14CBA1

Function 0032DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0032DE93
std::_Lockit::_Lockit.LIBCPMT ref: 0032DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 0032DED6
std::_Facet_Register.LIBCPMT ref: 0032DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0032DF63
Concurrency::cancel_current_task.LIBCPMT ref: 0032DF7B

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 0e4bff71e461c6a6dcc3bb92afc927025e247c025320dd96e0779962ef1b8e2c
Instruction ID: 806a0a4ee7a9027488b30f048f0031ac7f78f7ea088439ad973384b94172c710
Opcode Fuzzy Hash: 0e4bff71e461c6a6dcc3bb92afc927025e247c025320dd96e0779962ef1b8e2c
Instruction Fuzzy Hash: 2C41F371D00229EFCF16DF54E946AAEBBB8FB04720F254269E815AB352D731AD00CBD5

Function 002C6F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C7340

Strings

`!,, xrefs: 002C734B
parse error, xrefs: 002C6FFF, 002C7018
parse_error, xrefs: 002C6F8B
`!,, xrefs: 002C7328

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$parse error$parse_error
API String ID: 2659868963-1006035392
Opcode ID: 8cd3bcd93a3b2557a1c8209c409e96c6ee2af055fe3b0c931fb06a96a8dd8bda
Instruction ID: 9ae3b6f9146255615c20dee7ba9a1efb1b854a0f3ab4754a4d1f45dd5981581a
Opcode Fuzzy Hash: 8cd3bcd93a3b2557a1c8209c409e96c6ee2af055fe3b0c931fb06a96a8dd8bda
Instruction Fuzzy Hash: 2EE180709142488FDB19CF68C884B9DBBB5FF49300F2482ADE419EB792D7749A91CF91

Function 002C73B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002C75BE
___std_exception_destroy.LIBVCRUNTIME ref: 002C75CD

Strings

at line , xrefs: 002C73F7
`!,, xrefs: 002C75B6, 002C75C6
, column , xrefs: 002C7434, 002C744A

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!,
API String ID: 4194217158-4202377963
Opcode ID: 2f3aca66b85c28655bf017df4ae2f95d8957d8dc7eef54b921db3a2699b2975b
Instruction ID: 95bcbe514ab9d85a1368d2a35ad8f3de8fcc9166a9e0756f5520c00476279486
Opcode Fuzzy Hash: 2f3aca66b85c28655bf017df4ae2f95d8957d8dc7eef54b921db3a2699b2975b
Instruction Fuzzy Hash: 5361F270A102049FDB1DCF68DC84BADBBB6FF45300F24862CE415ABB81D774AA548B90

Function 002C3370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 002C3190: ___std_exception_copy.LIBVCRUNTIME ref: 002C32C6

___std_exception_copy.LIBVCRUNTIME ref: 002C345F

Strings

+4,, xrefs: 002C33B3, 002C3410
@3,, xrefs: 002C3464
@3,, xrefs: 002C33F3, 002C347B
`!,, xrefs: 002C3450

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4,$@3,$@3,$`!,
API String ID: 2659868963-1443510104
Opcode ID: f645f1abb756e67c29598abb2d5918c7e000217a19d2455a6f758c8b8ec95f92
Instruction ID: 68f15a29851d4798c8bfa9e54581a23a0309fe96e9779fefc060270f61809815
Opcode Fuzzy Hash: f645f1abb756e67c29598abb2d5918c7e000217a19d2455a6f758c8b8ec95f92
Instruction Fuzzy Hash: 0E3183759002099FCB19DFA8D841EEEFBF9FB09310F14862EE515D7641E770AA50CB90

Function 002C3410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C345F

Strings

+4,, xrefs: 002C33B3, 002C3410
@3,, xrefs: 002C3464
@3,, xrefs: 002C33F3, 002C347B
`!,, xrefs: 002C3450

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4,$@3,$@3,$`!,
API String ID: 2659868963-1443510104
Opcode ID: e69a750ecc1df1fe38bfa402db9b7ea98f17a4bd210f7054a6817afad410cf05
Instruction ID: 98ca65bc141818e9e8be821c03711afb18b3f91a49789e512eb075c25b964425
Opcode Fuzzy Hash: e69a750ecc1df1fe38bfa402db9b7ea98f17a4bd210f7054a6817afad410cf05
Instruction Fuzzy Hash: 4F01FFB6500609AF8709DFA9D445D96FBFDEF45310700856AE619C7611E7B0E524CB90

Function 002C6C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002C6F11
___std_exception_destroy.LIBVCRUNTIME ref: 002C6F20

Strings

[json.exception., xrefs: 002C6CB8
`!,, xrefs: 002C6F09, 002C6F19

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.$`!,
API String ID: 4194217158-4272543052
Opcode ID: 6b5fe7bf6d439631cca7e0d7b519aafcf7bab3b455747d88b61b463015c3205f
Instruction ID: 9b4939c686bf724d6650fca8faa27e0feda52fcc9ddecf4e3340a0870fbf2473
Opcode Fuzzy Hash: 6b5fe7bf6d439631cca7e0d7b519aafcf7bab3b455747d88b61b463015c3205f
Instruction Fuzzy Hash: DB91C170A102089FDB19CF68D888F9EBBF6EF45300F20866DE415EB792D771AA41CB51

Function 002C2270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 002C2275

Part of subcall function 0039D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0039D6F5

Strings

L?, xrefs: 002C2347
string too long, xrefs: 002C2270
L?, xrefs: 002C2427

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$L?$L?
API String ID: 1997705970-123487069
Opcode ID: f4c5f38f9d7aad4239cc08b5c8beb98812d1db4da204b6c8ef3914b0f73c37bd
Instruction ID: dd925a892a296c18c71e297c9e71156b01bd94b2ad6d4369200f4fd4078f83bc
Opcode Fuzzy Hash: f4c5f38f9d7aad4239cc08b5c8beb98812d1db4da204b6c8ef3914b0f73c37bd
Instruction Fuzzy Hash: 72815875A14286DFCB16CF68C450BEEBFB5EF5A300F1842AEC85497742CB744559CBA0

Function 002C7620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C77B4

Strings

`!,, xrefs: 002C77BF
invalid_iterator, xrefs: 002C7656
`!,, xrefs: 002C779F

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$invalid_iterator
API String ID: 2659868963-2975477599
Opcode ID: f9af32ae31d2764dde020eaa00b297af1a64b1b99441c18947169715aac168fc
Instruction ID: 7ae622d35bd49e252d91b1580ade8475b775a18f1358f4fd674cc29e4d7ff7c1
Opcode Fuzzy Hash: f9af32ae31d2764dde020eaa00b297af1a64b1b99441c18947169715aac168fc
Instruction Fuzzy Hash: 945126B49002488FDB19CFA8D984B9DFBF5BB49300F14866DE419EB791E774A984CF90

Function 002C7BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C7D67

Strings

`!,, xrefs: 002C7D72
`!,, xrefs: 002C7D52
other_error, xrefs: 002C7C0A

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$other_error
API String ID: 2659868963-91030564
Opcode ID: 077acc363295ce71f6880b237dd8b78ac49714c166a982cdc643bcf0d492710f
Instruction ID: 785aa8b9ee2df5d97bb8491778ea8565d8532ccb9fd89f2783a7e48f45b68474
Opcode Fuzzy Hash: 077acc363295ce71f6880b237dd8b78ac49714c166a982cdc643bcf0d492710f
Instruction Fuzzy Hash: FB5159B09102488FDB19CFA8D984BADBBF5BF49300F14826DE41AEB781D774A980CF50

Function 0032D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0032D06F
___std_exception_copy.LIBVCRUNTIME ref: 0032D096

Strings

`!,, xrefs: 0032D09B
`!,, xrefs: 0032D060, 0032D085

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: fda45eaca5a2a3375049ca3a9f1f0e42212fab633ab1c617919edb592068f32d
Instruction ID: cd66280b534122bc97cfea25501ddb8ce24887227b71baafc4e819a4882c7814
Opcode Fuzzy Hash: fda45eaca5a2a3375049ca3a9f1f0e42212fab633ab1c617919edb592068f32d
Instruction Fuzzy Hash: 3801A8B6500605AFC709DF59D505882FBF8FB45710701852FA52ACBB10D7B0F528CFA0

Function 0033B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0033B3DF
___std_exception_copy.LIBVCRUNTIME ref: 0033B406

Strings

`!,, xrefs: 0033B40E
`!,, xrefs: 0033B3D0, 0033B3F5

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: 33224eedb60b00052ef9821f182cdade65a20e2118268496b1892af6ab0dfaae
Instruction ID: 7ffc48444c00a5f2e5916a8a396a0ec09ac2cac1ba2a6e4d85042cf0187bbedf
Opcode Fuzzy Hash: 33224eedb60b00052ef9821f182cdade65a20e2118268496b1892af6ab0dfaae
Instruction Fuzzy Hash: 51F0C9BA500605AF870ADF55D505886FBE9FA45710701852FE52ACB710E7B0E524CFA0

Function 0033B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0033B612

Strings

Px3, xrefs: 0033B456, 0033B5BA, 0033B5F3, 0033B54A, 0033B4F1
invalid hash bucket count, xrefs: 0033B60D

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: Px3$invalid hash bucket count
API String ID: 909987262-3929844800
Opcode ID: 2c31a51e89d1f531b10096a841aae069538f5ced431e223398b4d968c871e341
Instruction ID: baa2fb8dfb592d1c246ee4ada5ba0da3aca42410c3c89a65fff46d1c7481fffa
Opcode Fuzzy Hash: 2c31a51e89d1f531b10096a841aae069538f5ced431e223398b4d968c871e341
Instruction Fuzzy Hash: 007110B5A00609DFCB15CF49C18086AFBF5FF89300B24C5AAE9599B356D731EA41CF90

Function 0033E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0033E491

Strings

type must be string, but is , xrefs: 0033E4F8
type must be boolean, but is , xrefs: 0033E582

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: bfa142b9c803a961c630923ba647d987ddd347ad785699a15434d44261b3eab8
Instruction ID: 63bb39df0c3336eab0832f6b413576b0e73107a3a0c755c4eac858a0ff2882fb
Opcode Fuzzy Hash: bfa142b9c803a961c630923ba647d987ddd347ad785699a15434d44261b3eab8
Instruction Fuzzy Hash: 3B4189B5900248AFCB16EBA4E842F9EB7A8DF04300F144678F419DB6C2EB35ED40C792

Function 002C3050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C3078

Strings

`!,, xrefs: 002C3080
`!,, xrefs: 002C3063

Memory Dump Source

Source File: 00000007.00000002.4146167296.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 00000007.00000002.4145584611.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4146167296.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147267330.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147310163.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4147847240.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4148165343.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: cdbe7dc67c6cbed460adb684ff0e0d72b18ec48e5f3dce6c7405cfac71d5c719
Instruction ID: d4901aacff365470a7f5fdc28c78e6377a10569d98a2c594d6814354f05a432c
Opcode Fuzzy Hash: cdbe7dc67c6cbed460adb684ff0e0d72b18ec48e5f3dce6c7405cfac71d5c719
Instruction Fuzzy Hash: 67E0EDB69012089FC711DFA8990598AFBE8AB19701F0086AAE948DB300F6B0A9548BD1

Analysis Process: RageMP131.exePID: 8008, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	0%
Total number of Nodes:	739
Total number of Limit Nodes:	73

Executed Functions

Function 00323A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00323DB6), ref: 00323B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00323DB6), ref: 00323BBA

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 71ed90e01c1aed8083a70a097ba5ab8ead6a3b687c4e4d6190e9172bfe2c6271
Instruction ID: 91dc85d17f3bae4b57190b649c487a2b525e381dd4a0a78a30bf23758c18063d
Opcode Fuzzy Hash: 71ed90e01c1aed8083a70a097ba5ab8ead6a3b687c4e4d6190e9172bfe2c6271
Instruction Fuzzy Hash: E851DB35A042298FCB26CF48D8D0EAAB7B5FF48704F2A45AAD445AF351D735EE05CB80

Function 002DE0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002DE0CB
socket.WS2_32(?,?,?), ref: 002DE17F
connect.WS2_32(00000000,?,?), ref: 002DE193
closesocket.WS2_32(00000000), ref: 002DE19E

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 1ad525fec809e1d9a1d1448ce24afe92b518e95eb00c348dc32251ec83b61205
Instruction ID: af7f4545d7030fc19157390074eea9d8a7df52d351a552e5f45b6674b940bc67
Opcode Fuzzy Hash: 1ad525fec809e1d9a1d1448ce24afe92b518e95eb00c348dc32251ec83b61205
Instruction Fuzzy Hash: 4631B4717153016BDB209F298848B2BB7E4EB86764F014F1EF9A8A63D0D375DD148BA2

Function 04E1081C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10915

Strings

kQZ^, xrefs: 04E10C2F
af, xrefs: 04E10840

Memory Dump Source

Source File: 0000000B.00000002.4154267256.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: af$kQZ^
API String ID: 2104809126-3757534479
Opcode ID: 2726adb349a2cbc5de4b95cd98235c306983ca2d0fcf4acaf7a59f9cd3abf9d0
Instruction ID: d313c1e8b3acf1ad6d9b5f63e830764677e6d0bcbe7bc1c84ee8bc6754417fb3
Opcode Fuzzy Hash: 2726adb349a2cbc5de4b95cd98235c306983ca2d0fcf4acaf7a59f9cd3abf9d0
Instruction Fuzzy Hash: 775145F73CD215EDE14292815B20AFA66ADE7D7330730A0A7F107C6E22F2942AC97571

Function 0039F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C220E

Strings

`!,, xrefs: 002C21FC
`!,, xrefs: 002C2216

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: b98c0836f34af107737a736fb2a735cc9b8bd2b82c2110377a4073ac3ac69d35
Instruction ID: b57cb395a27a42587f7a4215873edfaa2b57a53ff93080de2b9c04a48af21253
Opcode Fuzzy Hash: b98c0836f34af107737a736fb2a735cc9b8bd2b82c2110377a4073ac3ac69d35
Instruction Fuzzy Hash: 8E012B7950030DAFCF1AAF98E802E9977ACDA01310B548539FA59DF991EB70E9548790

Function 04E10854 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10915

Strings

kQZ^, xrefs: 04E10C2F

Memory Dump Source

Source File: 0000000B.00000002.4154267256.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: kQZ^
API String ID: 2104809126-1822040756
Opcode ID: 3fae23fe90edf24e9895fca884ec0846bc43a00af33b149e86d06f13685bc144
Instruction ID: 1fa4c073c4bfe8437751c6eb539180456aa40cc1adce26b8826a12384d276844
Opcode Fuzzy Hash: 3fae23fe90edf24e9895fca884ec0846bc43a00af33b149e86d06f13685bc144
Instruction Fuzzy Hash: 425134F73CD215EDE14292915B24AFA26ADE7C7330730A0A7F107CAD22F2942AC97571

Function 04E1089F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10915

Strings

kQZ^, xrefs: 04E10C2F

Memory Dump Source

Source File: 0000000B.00000002.4154267256.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: kQZ^
API String ID: 2104809126-1822040756
Opcode ID: bf845019a1eeb672ee41f47d3f73fd6ad8be3f98b1425b85d497a80aed4f5419
Instruction ID: 78adf9844a5ba7e4953ae5398a06eadbf6e2e7e5a5b2e7668dba779becc697e3
Opcode Fuzzy Hash: bf845019a1eeb672ee41f47d3f73fd6ad8be3f98b1425b85d497a80aed4f5419
Instruction Fuzzy Hash: 085138F73CD219EDE14291904B54AFA26ADF7D733073060A7B107D6D22F2942AC97571

Function 04E108E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10915

Strings

kQZ^, xrefs: 04E10C2F

Memory Dump Source

Source File: 0000000B.00000002.4154267256.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: kQZ^
API String ID: 2104809126-1822040756
Opcode ID: 3db4df05bf5852f483caf74da701456763f2f79347106f1e1d6b84d853f4ec60
Instruction ID: 346da235162c6cd5caefe0ed990272aacaf9724f76e482d59d8dce48f6a00bdb
Opcode Fuzzy Hash: 3db4df05bf5852f483caf74da701456763f2f79347106f1e1d6b84d853f4ec60
Instruction Fuzzy Hash: EB5156FB3CD115EDE14291910B24AFA2A6DE7C7330730A0A7F147CAE22F2942AC97571

Function 04E10902 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10915

Strings

kQZ^, xrefs: 04E10C2F

Memory Dump Source

Source File: 0000000B.00000002.4154267256.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: kQZ^
API String ID: 2104809126-1822040756
Opcode ID: ccd505b473511ffeb6974183630a2ac58064a0d9e25df96bc8554b1d58e0c4cf
Instruction ID: 82145cfe610d495adbf2035bd31ab038aee34da3c632b285d05b98fbbf5986ef
Opcode Fuzzy Hash: ccd505b473511ffeb6974183630a2ac58064a0d9e25df96bc8554b1d58e0c4cf
Instruction Fuzzy Hash: 7F4136FB3CD115EDE14292911B24EFA666DE7D7330730A0A7B10BC6E22F2942AC97571

Function 003A4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O:, xrefs: 003A4A93, 003A4A61, 003A4AAB, 003A4AC7

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: O:
API String ID: 0-1127995068
Opcode ID: 8ed38200a054be15eb2fd55e798bacc87c6ec1d92598dd95a83dc30ca6f77a59
Instruction ID: 505034c5702062155f2dbba11dd310682df43c0c5f60d6e4eff5772046c36150
Opcode Fuzzy Hash: 8ed38200a054be15eb2fd55e798bacc87c6ec1d92598dd95a83dc30ca6f77a59
Instruction Fuzzy Hash: 2D51C970A00108AFDF16CF58CC45AAABFF5EF8A354F258158F8499B252D3B1DE51CB94

Function 003B4623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dd322dfb9335e76631b75594efa328453792d8a2e061105e0e4c129f1bfca14
Instruction ID: a496502764fd570d71c580340c9f0ed5a2db584216c8e175bd51c5b4dd560d28
Opcode Fuzzy Hash: 9dd322dfb9335e76631b75594efa328453792d8a2e061105e0e4c129f1bfca14
Instruction Fuzzy Hash: AAB11270A00249AFDB13DFA8D841BFEBBB5EF86308F154158E641ABA83C7719D41CB64

Function 002CA210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 002CA343

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 08f1aa8b8f2f1b8912de4617c306bf37e9fc4f227ce84ee2f49d6ab5b1134b01
Instruction ID: a00e3e123af81a0e42c399a2ecbdcf23a7ac393f14bb7b3a79e6b83304b67baa
Opcode Fuzzy Hash: 08f1aa8b8f2f1b8912de4617c306bf37e9fc4f227ce84ee2f49d6ab5b1134b01
Instruction Fuzzy Hash: 2D716A70910248AFDB19DF68CC45FAFB7E8EF42304F10866DF8099B682D7B59941C792

Function 003B549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,003A9087,?,00000000,00000000,00000000,?,00000000,?,002CA3EB,003A9087,00000000,002CA3EB,?,?), ref: 003B5621

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: fabb9356c4dce4825e087b92e7564e55e12dbaf77b68223222400de3b131a096
Instruction ID: e245f98e6f6d04caf1e4f4dd57ec45e133d404ccb9456949b9da43e00a2c3f08
Opcode Fuzzy Hash: fabb9356c4dce4825e087b92e7564e55e12dbaf77b68223222400de3b131a096
Instruction Fuzzy Hash: 5261A371D00519AFDF12DFA8C845FEEBBB9EF59308F150145EA01AB655D371D901CBA0

Function 003306C0 Relevance: 1.7, APIs: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00330807

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 72ae2a14724d4e83691c0531f3cf1eefdbecef984361d26ffcaed67d00a3d962
Instruction ID: c8bf2c818218b6886c3d9410c924f2f2938f0109db667c52f09d50c5b3bfcdd0
Opcode Fuzzy Hash: 72ae2a14724d4e83691c0531f3cf1eefdbecef984361d26ffcaed67d00a3d962
Instruction Fuzzy Hash: FB4128729001189FCB1AEF68DDC16AEB7A5EF45350F1502A9FC05EB341DB70AE508BE1

Function 00330560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 003306AE

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: ecc22976a83301610031e09e5ea3c49feecf00cf758957440164320a3e431bee
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: 6B41F672A041149FCB1ADF68D99166E7BA9EF89310F150269FC05EB305D770DD608BE1

Function 003B4B12 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003B49F9,00000000,CF830579,003F1140,0000000C,003B4AB5,003A8BBD,?), ref: 003B4B68

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5b7730caa616b24931fa598cd3b356ea1aa453b306f1dbf4098addb9780e694b
Instruction ID: a8a0d0fb7392b0fe1b2a1ea8784d74267f4290aae1481a18c35eb88e19a780eb
Opcode Fuzzy Hash: 5b7730caa616b24931fa598cd3b356ea1aa453b306f1dbf4098addb9780e694b
Instruction Fuzzy Hash: CD114833A4451416DA27A2346802BFE6B498BC277CF2B0209FB889BDD3EE60DC41429D

Function 003AE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,003F0DF8,002CA3EB,00000002,002CA3EB,00000000,?,?,?,003AE166,00000000,?,002CA3EB,00000002,003F0DF8), ref: 003AE098

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2e6d5ce1398ae5ac4221009854fb1974fb0771fb93a0230b53c4f0de03328614
Instruction ID: 77097ca0ee20c9accf77d2f0f3d6b9c3148e19342d5f2d9b0907866a61ce74ed
Opcode Fuzzy Hash: 2e6d5ce1398ae5ac4221009854fb1974fb0771fb93a0230b53c4f0de03328614
Instruction Fuzzy Hash: C801F932610559AFCF16DF6ACC05D9E3B29DB82334F250248F9919B2D1EAB1ED41CBD0

Function 003B63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003A91F7,00000000,?,003B5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,003AD244,003A89C3,003A91F7,00000000), ref: 003B6435

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 09d8c2a1bff31d9820f263882116984f83ae1e7772d3841609f2c9534b73c46c
Instruction ID: ea1ee5ccf3cd3dd61f3603b5004e7549283b7fd164a67c13235fe57eae6cccfa
Opcode Fuzzy Hash: 09d8c2a1bff31d9820f263882116984f83ae1e7772d3841609f2c9534b73c46c
Instruction Fuzzy Hash: 14F0B431501924679B236B639C03BEB3B4C9F8176CF268011AE059AC82CE24D80186E1

Function 003B6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,003BD635,4D88C033,?,003BD635,00000220,?,003B57EF,4D88C033), ref: 003B6E60

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a580f57ec31fa291a66ac021b8b8a82ac6972e665556a40e2809ad0bf9de45ab
Instruction ID: c398f954d106bc5601e8d7938234700b2a7fb90cd076246b8a5384e320de4b34
Opcode Fuzzy Hash: a580f57ec31fa291a66ac021b8b8a82ac6972e665556a40e2809ad0bf9de45ab
Instruction Fuzzy Hash: 70E0ED3910062266DA3322A5CE13BEB764CDF823A8F160520EF059AC92CF28C80087A4

Function 04E2013A Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

_yo, xrefs: 04E20122

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID: _yo
API String ID: 0-1308214902
Opcode ID: 0679a0da29e504f1fbe0844da5e185ff899c48968ecf273b560e770ce545e2bb
Instruction ID: 6c6f7c1c387d230927c166b6ceb75a9379b8f6256bd42d03fec7926cbeedf87e
Opcode Fuzzy Hash: 0679a0da29e504f1fbe0844da5e185ff899c48968ecf273b560e770ce545e2bb
Instruction Fuzzy Hash: D0113AE764C230EED2428E8157406FA7B65EB976303306526F60BB7183F1952E49B571

Function 04E20156 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f88b42e847d036b40114f8e76244828b3a42a2a0cc9eb2ac0890e2ef0ab7db3
Instruction ID: f26de1a354936684772003a723407bce72cf1a5e665c1090644bc3350f58da1a
Opcode Fuzzy Hash: 9f88b42e847d036b40114f8e76244828b3a42a2a0cc9eb2ac0890e2ef0ab7db3
Instruction Fuzzy Hash: 8A01D6DB288220AEE14299816B447F6BB79A7D76307706136F547F7183F2D42B497130

Function 04E20131 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d70f69b9e5e13f52e88ceb6364c84dcea9659baf8005797f6a0b455c7aa04724
Instruction ID: 0676c88295ac25e8150aeb675ce894a20f0eed88a6d36e3e468f387ebf6d6671
Opcode Fuzzy Hash: d70f69b9e5e13f52e88ceb6364c84dcea9659baf8005797f6a0b455c7aa04724
Instruction Fuzzy Hash: FF01B5DB28C230BDE142898567446F67A69A3C7630370A126F607F6683F2D42F497131

Function 04E20184 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18bcd079775b746d1441fb1dda913a7333cb4d7afdf472f313cb5d6938feeba6
Instruction ID: bf284451f1d97a1a6d1c55a7439a20248b1b366b26c2bb9fa32321fff5b7e847
Opcode Fuzzy Hash: 18bcd079775b746d1441fb1dda913a7333cb4d7afdf472f313cb5d6938feeba6
Instruction Fuzzy Hash: 54F04CD724C230EED242CA8457447F67BA5B7D76307306126F64BF6283F1992B097231

Function 04E201AD Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b77970f9e8fcee6758a64f938827f22be2e38460cee51a8ac6de057d6a43acf
Instruction ID: e3a858eba69bd30a5145f40299833d2e8b688f5896cab4ebbac88e3796c658ed
Opcode Fuzzy Hash: 7b77970f9e8fcee6758a64f938827f22be2e38460cee51a8ac6de057d6a43acf
Instruction Fuzzy Hash: FBF059B768C231DED381999563463F9B762A387630770603BF147E72C3F24416597221

Function 04E2019B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5537975c92f2fb2cbb89fa818272b957778558c147e6cd8fcbd20bb40d90a455
Instruction ID: 3910e8ec943571ca86bac916abaecfbf129773280e07aae65dda4708c45cc404
Opcode Fuzzy Hash: 5537975c92f2fb2cbb89fa818272b957778558c147e6cd8fcbd20bb40d90a455
Instruction Fuzzy Hash: 0CF0E99728C230EDD242898567047F5BA6563876707706637F64BB66C3F285270D7231

Function 04E201E6 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc6e62f0298c5b73f6fa83c2aad5c83153095882054b1d219fb11bf5e8b0b0c
Instruction ID: c01188cb4e7f7b8ee122a5fef5ccbd013c7d89bc220af1f6ab018eda2f6acd9e
Opcode Fuzzy Hash: 9cc6e62f0298c5b73f6fa83c2aad5c83153095882054b1d219fb11bf5e8b0b0c
Instruction Fuzzy Hash: A8F05C931CC230AEE14250956B557F77E6A63872303A16227F64BB35C3A0882B1D7262

Function 04E201D9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2a83fff1317cd0d6f5930d36bd55f6ad12caf00d3e827d52414ee58ce4e954
Instruction ID: 7358e24b86ff419d4e7b4667360230c55271847b6827b8118726401acc3c6f81
Opcode Fuzzy Hash: 6b2a83fff1317cd0d6f5930d36bd55f6ad12caf00d3e827d52414ee58ce4e954
Instruction Fuzzy Hash: B9E020C72CC130DDD18150C567553F97A1A63872307B03113F70FB66C3B5882B597561

Function 04E2020C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4154297826.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c59dd0859fcb68d87fd67d2486b7fc7f4be0c2e3f5d85a542cb80d76ebe15f
Instruction ID: 3600a860fe565e4616a1bac3fe66a947f2bf4fdc8df875dab9c304357ba44aac
Opcode Fuzzy Hash: 34c59dd0859fcb68d87fd67d2486b7fc7f4be0c2e3f5d85a542cb80d76ebe15f
Instruction Fuzzy Hash: A3D02B8714C030CAC08152D17B522F67B2563576316202123E20FB72C3A4D427997162

Non-executed Functions

Function 003A84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 98ccf139a8a4d5b6bb8807c094869e375602db42d7e2cc9e4b51a062b86e78b9
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: 54023B71E012199FDF15CFA9C8806AEBBF5FF49314F258269D919EB380DB31A9418B90

Function 0032F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0032F833
std::_Lockit::_Lockit.LIBCPMT ref: 0032F855
std::_Lockit::~_Lockit.LIBCPMT ref: 0032F875
std::_Lockit::~_Lockit.LIBCPMT ref: 0032F89F
std::_Lockit::_Lockit.LIBCPMT ref: 0032F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0032F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0032F973
std::_Lockit::~_Lockit.LIBCPMT ref: 0032FA08
std::_Facet_Register.LIBCPMT ref: 0032FA15

Strings

">, xrefs: 0032F96B, 0032F972
bad locale name, xrefs: 0032FA2F

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$">
API String ID: 3375549084-744497921
Opcode ID: c7da17e2bf791320939d8630616a2901d5bf520318ede485cf7a94a7ed8fbc3f
Instruction ID: 848c9dcfc6e38abb142eca5ef7d48ebf4a6ad53e006f9f76193b363c08ef0780
Opcode Fuzzy Hash: c7da17e2bf791320939d8630616a2901d5bf520318ede485cf7a94a7ed8fbc3f
Instruction Fuzzy Hash: 7361AFB1D00258DFEF12DFA4E845B9EBBB8AF14710F144178E805AB341EB35E905CBA1

Function 002C3D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C3E7F

Strings

@3,, xrefs: 002C3DBE, 002C3E9B
@3,, xrefs: 002C3E84
ios_base::failbit set, xrefs: 002C3D32
`!,, xrefs: 002C3E70
ios_base::badbit set, xrefs: 002C3E17
ios_base::eofbit set, xrefs: 002C3E41, 002C3E63
G>,, xrefs: 002C3DB8
G>,, xrefs: 002C3D2B, 002C3D67, 002C3D6A

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3,$@3,$G>,$G>,$`!,$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1824058124
Opcode ID: a35cf2be4074591dd225ef0c9b237d9c066734985f87b62e2c54f31530a43e87
Instruction ID: aeeac9620c634ed1c6b9437d40cc3da155b6658ad227f890d80c877a2f21427b
Opcode Fuzzy Hash: a35cf2be4074591dd225ef0c9b237d9c066734985f87b62e2c54f31530a43e87
Instruction Fuzzy Hash: 2E41A4B6910205AFCB05DF58C845FEEB7F9EF49310F14CA2EE915D7641E770AA118BA0

Function 003A2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003A2E47
___except_validate_context_record.LIBVCRUNTIME ref: 003A2E4F
_ValidateLocalCookies.LIBCMT ref: 003A2ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 003A2F03
_ValidateLocalCookies.LIBCMT ref: 003A2F58

Strings

csm, xrefs: 003A2EED
i?, xrefs: 003A2F78

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: i?$csm
API String ID: 1170836740-3060081385
Opcode ID: b9e9f749dd4044be8acf8585c0536db50f70d73dff611b0bdb3c5e5ccea10a1d
Instruction ID: 43d3631f161a9df51cda3f839ea66e15e4cb7b7f7bad89945d3594a441bd00bf
Opcode Fuzzy Hash: b9e9f749dd4044be8acf8585c0536db50f70d73dff611b0bdb3c5e5ccea10a1d
Instruction Fuzzy Hash: B3419F30A00209AFCF16DF6CC881E9FBBB5EF46314F148156E8149B252D731EE55CB90

Function 002C3DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C3E7F

Strings

@3,, xrefs: 002C3E84
@3,, xrefs: 002C3DBE, 002C3E9B
ios_base::failbit set, xrefs: 002C3D32, 002C3E1E
`!,, xrefs: 002C3E70
ios_base::badbit set, xrefs: 002C3E17
ios_base::eofbit set, xrefs: 002C3E28, 002C3E41, 002C3E63

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3,$@3,$`!,$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1830230726
Opcode ID: 1960a754fbad110628dced66654e132ba2cd72f953cb5f37d7ce7e5d525612c8
Instruction ID: 87725362fa75ff139afb592ef2ea42a8c091f2d3d20d449ca91a7eeba6559391
Opcode Fuzzy Hash: 1960a754fbad110628dced66654e132ba2cd72f953cb5f37d7ce7e5d525612c8
Instruction Fuzzy Hash: B921F3B69107056FC715DE58D805F96B7ECAF05310F08C92EFA69CB681E770EA208B90

Function 002C4C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002C4F72
___std_exception_destroy.LIBVCRUNTIME ref: 002C4FFF
___std_exception_copy.LIBVCRUNTIME ref: 002C50C8

Strings

@3,, xrefs: 002C50CD
recursive_directory_iterator::operator++, xrefs: 002C504C
`!,, xrefs: 002C4F6B, 002C4FF8, 002C50B9

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: @3,$`!,$recursive_directory_iterator::operator++
API String ID: 1206660477-4040103403
Opcode ID: f1007800a3f40ddf715a9f33d73b021ffb2d36e7f54076de6c8db678cf6aef89
Instruction ID: c3df36e84c3e6df68e54e6e440f886dd19e26bb34065404740834babd7423b67
Opcode Fuzzy Hash: f1007800a3f40ddf715a9f33d73b021ffb2d36e7f54076de6c8db678cf6aef89
Instruction Fuzzy Hash: B2E100719106049FCB29EF68D855BAFBBF9FF48300F108A2DE41697B81D774A914CBA1

Function 002C7820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C799A
___std_exception_copy.LIBVCRUNTIME ref: 002C7B75

Strings

type_error, xrefs: 002C784A
`!,, xrefs: 002C7985, 002C7B60
`!,, xrefs: 002C79A5, 002C7B80
out_of_range, xrefs: 002C7A27

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$out_of_range$type_error
API String ID: 2659868963-2346395918
Opcode ID: 89bcd8f281e8e30f4087adecd1507c6131f3705ee8ed7c3b278c332ff666381a
Instruction ID: d82aae48d67053eaf2eb3db1fcc2e54941fe058f4d4c60fd3960f3ccd8ccd8a0
Opcode Fuzzy Hash: 89bcd8f281e8e30f4087adecd1507c6131f3705ee8ed7c3b278c332ff666381a
Instruction Fuzzy Hash: 40C147B19002488FDB19CFA8D984B9EFBF5FB49300F14866DE419EB791E774A9808F50

Function 002C3190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C32C6
___std_exception_destroy.LIBVCRUNTIME ref: 002C3350

Strings

@3,, xrefs: 002C3316
+4,, xrefs: 002C3190
`!,, xrefs: 002C32AD, 002C3349
`!,, xrefs: 002C32D1

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4,$@3,$`!,$`!,
API String ID: 2970364248-3618221396
Opcode ID: 2e5aaaa0b8be78889034408fa3b1ea6ddfff7b696db7a329b957ee4552844019
Instruction ID: fcff9a33369a1ccaff54f113f1dc1e9f7b487d1f19138f880c5f5b4d75ab2852
Opcode Fuzzy Hash: 2e5aaaa0b8be78889034408fa3b1ea6ddfff7b696db7a329b957ee4552844019
Instruction Fuzzy Hash: F751BC71A102589FCB09CF98D885FEEBBB9FF49300F14862DE815E7381D770AA418B91

Function 002C39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002C3A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002C3AA4
__Getctype.LIBCPMT ref: 002C3ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002C3AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 002C3B7B

Strings

bad locale name, xrefs: 002C3B96

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: e36aa50c78bc88faadc7ffe906281f20477be9ed329a3cbfbe0a1c52ff1da6db
Instruction ID: ce7dde66f17cb8d015d71b1639d42a41b8527ce08a15aacfceb127d988bdb8cf
Opcode Fuzzy Hash: e36aa50c78bc88faadc7ffe906281f20477be9ed329a3cbfbe0a1c52ff1da6db
Instruction Fuzzy Hash: 2B5180B1D002089FEF11DFA4D845F8EBBB8EF14314F148569E809AB341E775DA14CBA1

Function 0032DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0032DE93
std::_Lockit::_Lockit.LIBCPMT ref: 0032DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 0032DED6
std::_Facet_Register.LIBCPMT ref: 0032DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0032DF63
Concurrency::cancel_current_task.LIBCPMT ref: 0032DF7B

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 0e4bff71e461c6a6dcc3bb92afc927025e247c025320dd96e0779962ef1b8e2c
Instruction ID: 806a0a4ee7a9027488b30f048f0031ac7f78f7ea088439ad973384b94172c710
Opcode Fuzzy Hash: 0e4bff71e461c6a6dcc3bb92afc927025e247c025320dd96e0779962ef1b8e2c
Instruction Fuzzy Hash: 2C41F371D00229EFCF16DF54E946AAEBBB8FB04720F254269E815AB352D731AD00CBD5

Function 002C6F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C7340

Strings

parse_error, xrefs: 002C6F8B
`!,, xrefs: 002C7328
parse error, xrefs: 002C6FFF, 002C7018
`!,, xrefs: 002C734B

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$parse error$parse_error
API String ID: 2659868963-1006035392
Opcode ID: 84f1e675be7825df6cb832cb9344f00ddac710c93601f56f498d933aaf88a832
Instruction ID: 9ae3b6f9146255615c20dee7ba9a1efb1b854a0f3ab4754a4d1f45dd5981581a
Opcode Fuzzy Hash: 84f1e675be7825df6cb832cb9344f00ddac710c93601f56f498d933aaf88a832
Instruction Fuzzy Hash: 2EE180709142488FDB19CF68C884B9DBBB5FF49300F2482ADE419EB792D7749A91CF91

Function 002C73B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002C75BE
___std_exception_destroy.LIBVCRUNTIME ref: 002C75CD

Strings

, column , xrefs: 002C7434, 002C744A
at line , xrefs: 002C73F7
`!,, xrefs: 002C75B6, 002C75C6

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!,
API String ID: 4194217158-4202377963
Opcode ID: 54f827428ecc31fbc9ac2588ab0c0b484577ff9cdef6129825e47c1ca1ebe826
Instruction ID: 95bcbe514ab9d85a1368d2a35ad8f3de8fcc9166a9e0756f5520c00476279486
Opcode Fuzzy Hash: 54f827428ecc31fbc9ac2588ab0c0b484577ff9cdef6129825e47c1ca1ebe826
Instruction Fuzzy Hash: 5361F270A102049FDB1DCF68DC84BADBBB6FF45300F24862CE415ABB81D774AA548B90

Function 002C3370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 002C3190: ___std_exception_copy.LIBVCRUNTIME ref: 002C32C6

___std_exception_copy.LIBVCRUNTIME ref: 002C345F

Strings

@3,, xrefs: 002C3464
+4,, xrefs: 002C33B3, 002C3410
@3,, xrefs: 002C33F3, 002C347B
`!,, xrefs: 002C3450

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4,$@3,$@3,$`!,
API String ID: 2659868963-1443510104
Opcode ID: f645f1abb756e67c29598abb2d5918c7e000217a19d2455a6f758c8b8ec95f92
Instruction ID: 68f15a29851d4798c8bfa9e54581a23a0309fe96e9779fefc060270f61809815
Opcode Fuzzy Hash: f645f1abb756e67c29598abb2d5918c7e000217a19d2455a6f758c8b8ec95f92
Instruction Fuzzy Hash: 0E3183759002099FCB19DFA8D841EEEFBF9FB09310F14862EE515D7641E770AA50CB90

Function 002C3410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C345F

Strings

@3,, xrefs: 002C3464
+4,, xrefs: 002C33B3, 002C3410
@3,, xrefs: 002C33F3, 002C347B
`!,, xrefs: 002C3450

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4,$@3,$@3,$`!,
API String ID: 2659868963-1443510104
Opcode ID: e69a750ecc1df1fe38bfa402db9b7ea98f17a4bd210f7054a6817afad410cf05
Instruction ID: 98ca65bc141818e9e8be821c03711afb18b3f91a49789e512eb075c25b964425
Opcode Fuzzy Hash: e69a750ecc1df1fe38bfa402db9b7ea98f17a4bd210f7054a6817afad410cf05
Instruction Fuzzy Hash: 4F01FFB6500609AF8709DFA9D445D96FBFDEF45310700856AE619C7611E7B0E524CB90

Function 002C6C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002C6F11
___std_exception_destroy.LIBVCRUNTIME ref: 002C6F20

Strings

`!,, xrefs: 002C6F09, 002C6F19
[json.exception., xrefs: 002C6CB8

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.$`!,
API String ID: 4194217158-4272543052
Opcode ID: c1fb0ad429819c5ac32b0e41c5d19eb47e0ab83c783205f27c956d237bfa8e68
Instruction ID: 9b4939c686bf724d6650fca8faa27e0feda52fcc9ddecf4e3340a0870fbf2473
Opcode Fuzzy Hash: c1fb0ad429819c5ac32b0e41c5d19eb47e0ab83c783205f27c956d237bfa8e68
Instruction Fuzzy Hash: DB91C170A102089FDB19CF68D888F9EBBF6EF45300F20866DE415EB792D771AA41CB51

Function 002C2270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 002C2275

Part of subcall function 0039D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0039D6F5

Strings

L?, xrefs: 002C2347
string too long, xrefs: 002C2270
L?, xrefs: 002C2427

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$L?$L?
API String ID: 1997705970-123487069
Opcode ID: f4c5f38f9d7aad4239cc08b5c8beb98812d1db4da204b6c8ef3914b0f73c37bd
Instruction ID: dd925a892a296c18c71e297c9e71156b01bd94b2ad6d4369200f4fd4078f83bc
Opcode Fuzzy Hash: f4c5f38f9d7aad4239cc08b5c8beb98812d1db4da204b6c8ef3914b0f73c37bd
Instruction Fuzzy Hash: 72815875A14286DFCB16CF68C450BEEBFB5EF5A300F1842AEC85497742CB744559CBA0

Function 002C7620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C77B4

Strings

`!,, xrefs: 002C779F
invalid_iterator, xrefs: 002C7656
`!,, xrefs: 002C77BF

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$invalid_iterator
API String ID: 2659868963-2975477599
Opcode ID: f9af32ae31d2764dde020eaa00b297af1a64b1b99441c18947169715aac168fc
Instruction ID: 7ae622d35bd49e252d91b1580ade8475b775a18f1358f4fd674cc29e4d7ff7c1
Opcode Fuzzy Hash: f9af32ae31d2764dde020eaa00b297af1a64b1b99441c18947169715aac168fc
Instruction Fuzzy Hash: 945126B49002488FDB19CFA8D984B9DFBF5BB49300F14866DE419EB791E774A984CF90

Function 002C7BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C7D67

Strings

`!,, xrefs: 002C7D52
other_error, xrefs: 002C7C0A
`!,, xrefs: 002C7D72

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,$other_error
API String ID: 2659868963-91030564
Opcode ID: 077acc363295ce71f6880b237dd8b78ac49714c166a982cdc643bcf0d492710f
Instruction ID: 785aa8b9ee2df5d97bb8491778ea8565d8532ccb9fd89f2783a7e48f45b68474
Opcode Fuzzy Hash: 077acc363295ce71f6880b237dd8b78ac49714c166a982cdc643bcf0d492710f
Instruction Fuzzy Hash: FB5159B09102488FDB19CFA8D984BADBBF5BF49300F14826DE41AEB781D774A980CF50

Function 0032D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0032D06F
___std_exception_copy.LIBVCRUNTIME ref: 0032D096

Strings

`!,, xrefs: 0032D060, 0032D085
`!,, xrefs: 0032D09B

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: fda45eaca5a2a3375049ca3a9f1f0e42212fab633ab1c617919edb592068f32d
Instruction ID: cd66280b534122bc97cfea25501ddb8ce24887227b71baafc4e819a4882c7814
Opcode Fuzzy Hash: fda45eaca5a2a3375049ca3a9f1f0e42212fab633ab1c617919edb592068f32d
Instruction Fuzzy Hash: 3801A8B6500605AFC709DF59D505882FBF8FB45710701852FA52ACBB10D7B0F528CFA0

Function 0033B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0033B3DF
___std_exception_copy.LIBVCRUNTIME ref: 0033B406

Strings

`!,, xrefs: 0033B3D0, 0033B3F5
`!,, xrefs: 0033B40E

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: 33224eedb60b00052ef9821f182cdade65a20e2118268496b1892af6ab0dfaae
Instruction ID: 7ffc48444c00a5f2e5916a8a396a0ec09ac2cac1ba2a6e4d85042cf0187bbedf
Opcode Fuzzy Hash: 33224eedb60b00052ef9821f182cdade65a20e2118268496b1892af6ab0dfaae
Instruction Fuzzy Hash: 51F0C9BA500605AF870ADF55D505886FBE9FA45710701852FE52ACB710E7B0E524CFA0

Function 0033B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0033B612

Strings

Px3, xrefs: 0033B456, 0033B5BA, 0033B5F3, 0033B54A, 0033B4F1
invalid hash bucket count, xrefs: 0033B60D

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: Px3$invalid hash bucket count
API String ID: 909987262-3929844800
Opcode ID: 2c31a51e89d1f531b10096a841aae069538f5ced431e223398b4d968c871e341
Instruction ID: baa2fb8dfb592d1c246ee4ada5ba0da3aca42410c3c89a65fff46d1c7481fffa
Opcode Fuzzy Hash: 2c31a51e89d1f531b10096a841aae069538f5ced431e223398b4d968c871e341
Instruction Fuzzy Hash: 007110B5A00609DFCB15CF49C18086AFBF5FF89300B24C5AAE9599B356D731EA41CF90

Function 0033E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0033E491

Strings

type must be boolean, but is , xrefs: 0033E582
type must be string, but is , xrefs: 0033E4F8

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: bfa142b9c803a961c630923ba647d987ddd347ad785699a15434d44261b3eab8
Instruction ID: 63bb39df0c3336eab0832f6b413576b0e73107a3a0c755c4eac858a0ff2882fb
Opcode Fuzzy Hash: bfa142b9c803a961c630923ba647d987ddd347ad785699a15434d44261b3eab8
Instruction Fuzzy Hash: 3B4189B5900248AFCB16EBA4E842F9EB7A8DF04300F144678F419DB6C2EB35ED40C792

Function 002C3050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002C3078

Strings

`!,, xrefs: 002C3063
`!,, xrefs: 002C3080

Memory Dump Source

Source File: 0000000B.00000002.4146169733.00000000002C1000.00000040.00000001.01000000.00000006.sdmp, Offset: 002C0000, based on PE: true

Associated: 0000000B.00000002.4145586988.00000000002C0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4146169733.00000000003F3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147265146.00000000003F8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000003FC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.0000000000585000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.000000000066B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006A0000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006AC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4147307095.00000000006BA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148027108.00000000006BB000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.4148347497.0000000000862000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!,$`!,
API String ID: 2659868963-131796292
Opcode ID: cdbe7dc67c6cbed460adb684ff0e0d72b18ec48e5f3dce6c7405cfac71d5c719
Instruction ID: d4901aacff365470a7f5fdc28c78e6377a10569d98a2c594d6814354f05a432c
Opcode Fuzzy Hash: cdbe7dc67c6cbed460adb684ff0e0d72b18ec48e5f3dce6c7405cfac71d5c719
Instruction Fuzzy Hash: 67E0EDB69012089FC711DFA8990598AFBE8AB19701F0086AAE948DB300F6B0A9548BD1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_140.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
LisectAVT_2403002A_140.exe

Function 00D3E0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Function 058809E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199
COMMON

Function 0588097A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
COMMON

Function 058809C2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246
COMMON

Function 0588099A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237
COMMON

Function 058809AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234
COMMON

Function 05880A21 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194
COMMON

Function 05880A2E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 192
COMMON

Function 05880A4A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185
COMMON

Function 05880A8B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182
COMMON

Function 05880A78 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174
COMMON

Function 05880AA8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
COMMON

Function 05880AED Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Function 00E04942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON