Edit tour

Windows Analysis Report
dcmaM16D71.exe

Overview

General Information

Sample name:	dcmaM16D71.exe renamed because original name is a hash value
Original sample name:	92af1f8423cb9b7a5f08cd752b9c68a7.exe
Analysis ID:	1515064
MD5:	92af1f8423cb9b7a5f08cd752b9c68a7
SHA1:	a5b7de29d25e351b1a0bc20e8861a0a44fdbe73a
SHA256:	9c3aa1b46412046cab893f4bd96d15af2dc425c61c21a90755830d7f4df39cb0
Tags:	exeRiseProStealeruser-abuse_ch
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

dcmaM16D71.exe (PID: 6916 cmdline: "C:\Users\user\Desktop\dcmaM16D71.exe" MD5: 92AF1F8423CB9B7A5F08CD752B9C68A7)

schtasks.exe (PID: 2944 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5888 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 3668 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 92AF1F8423CB9B7A5F08CD752B9C68A7)

MPGPH131.exe (PID: 4924 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 92AF1F8423CB9B7A5F08CD752B9C68A7)

RageMP131.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 92AF1F8423CB9B7A5F08CD752B9C68A7)

RageMP131.exe (PID: 7504 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 92AF1F8423CB9B7A5F08CD752B9C68A7)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: dcmaM16D71.exe PID: 6916	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 3668	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 4924	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 6024	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7504	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\dcmaM16D71.exe, ProcessId: 6916, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Suricata Signatures

ET MALWARE RisePro TCP Heartbeat Packet

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T15:50:58.347014+0200	2049060	1	A Network Trojan was detected	192.168.2.4	49730	147.45.47.126	58709	TCP

ET MALWARE [ANY.RUN] RisePro TCP (Activity)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-21T15:51:01.279661+0200	2046269	1	A Network Trojan was detected	192.168.2.4	49730	147.45.47.126	58709	TCP
2024-09-21T15:51:08.723035+0200	2046269	1	A Network Trojan was detected	192.168.2.4	49731	147.45.47.126	58709	TCP
2024-09-21T15:51:08.723125+0200	2046269	1	A Network Trojan was detected	192.168.2.4	49732	147.45.47.126	58709	TCP
2024-09-21T15:51:13.066855+0200	2046269	1	A Network Trojan was detected	192.168.2.4	49733	147.45.47.126	58709	TCP
2024-09-21T15:51:21.676337+0200	2046269	1	A Network Trojan was detected	192.168.2.4	49740	147.45.47.126	58709	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: dcmaM16D71.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: TR/Redcap.vzyra
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: TR/Redcap.vzyra

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 91%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 77%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 77%	Perma Link

Multi AV Scanner detection for submitted file

Source: dcmaM16D71.exe	ReversingLabs: Detection: 91%
Source: dcmaM16D71.exe	Virustotal: Detection: 77%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: dcmaM16D71.exe

Joe Sandbox ML: detected

Source: dcmaM16D71.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049060 - Severity 1 - ET MALWARE RisePro TCP Heartbeat Packet : 192.168.2.4:49730 -> 147.45.47.126:58709
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49730 -> 147.45.47.126:58709
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49732 -> 147.45.47.126:58709
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49731 -> 147.45.47.126:58709
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49740 -> 147.45.47.126:58709
Source: Network traffic	Suricata IDS: 2046269 - Severity 1 - ET MALWARE [ANY.RUN] RisePro TCP (Activity) : 192.168.2.4:49733 -> 147.45.47.126:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.126 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.47.126:58709

Source: Joe Sandbox View

IP Address: 147.45.47.126 147.45.47.126

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.126

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Code function: 0_2_001C9280 recv,WSASend,

0_2_001C9280

Source: dcmaM16D71.exe, 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, dcmaM16D71.exe, 00000000.00000003.1724860101.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1802109842.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1802231508.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1861832555.0000000005440000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1943556052.0000000005620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe	String found in binary or memory: https://ipinfo.io/
Source: dcmaM16D71.exe, 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, dcmaM16D71.exe, 00000000.00000003.1724860101.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1802109842.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1802231508.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1861832555.0000000005440000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1943556052.0000000005620000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: dcmaM16D71.exe, 00000000.00000002.3456276074.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3456538284.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3456587072.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3455376041.00000000019DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3456493535.000000000185B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000005.00000002.3456538284.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary

PE file contains section with special chars

Source: dcmaM16D71.exe	Static PE information: section name:
Source: dcmaM16D71.exe	Static PE information: section name: .idata
Source: dcmaM16D71.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_001FA928	0_2_001FA928
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_001FC960	0_2_001FC960
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_001F71A0	0_2_001F71A0
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_0020DA86	0_2_0020DA86
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_0020036F	0_2_0020036F
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_00218BB0	0_2_00218BB0
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_002AFC40	0_2_002AFC40
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_001EF580	0_2_001EF580
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_00212610	0_2_00212610
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_002147BF	0_2_002147BF
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_002B2FD0	0_2_002B2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002AA928	5_2_002AA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002AC960	5_2_002AC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002A71A0	5_2_002A71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002BDA86	5_2_002BDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002B036F	5_2_002B036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002C8BB0	5_2_002C8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0035FC40	5_2_0035FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0029F580	5_2_0029F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002C2610	5_2_002C2610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002C47BF	5_2_002C47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00362FD0	5_2_00362FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AA928	6_2_002AA928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002AC960	6_2_002AC960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002A71A0	6_2_002A71A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002BDA86	6_2_002BDA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002B036F	6_2_002B036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C8BB0	6_2_002C8BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0035FC40	6_2_0035FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0029F580	6_2_0029F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C2610	6_2_002C2610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002C47BF	6_2_002C47BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00362FD0	6_2_00362FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D571A0	7_2_00D571A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D5C960	7_2_00D5C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D5A928	7_2_00D5A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D6DA86	7_2_00D6DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D78BB0	7_2_00D78BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D6036F	7_2_00D6036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00E0FC40	7_2_00E0FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D4F580	7_2_00D4F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00E12FD0	7_2_00E12FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D747BF	7_2_00D747BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D571A0	11_2_00D571A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D5C960	11_2_00D5C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D5A928	11_2_00D5A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D6DA86	11_2_00D6DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D78BB0	11_2_00D78BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D6036F	11_2_00D6036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00E0FC40	11_2_00E0FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D4F580	11_2_00D4F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00E12FD0	11_2_00E12FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D747BF	11_2_00D747BF

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00D54380 appears 48 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 002A4380 appears 48 times

Source: dcmaM16D71.exe	Binary or memory string: OriginalFilename vs dcmaM16D71.exe
Source: dcmaM16D71.exe, 00000000.00000002.3460814793.0000000004B10000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs dcmaM16D71.exe
Source: dcmaM16D71.exe, 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs dcmaM16D71.exe
Source: dcmaM16D71.exe, 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs dcmaM16D71.exe
Source: dcmaM16D71.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs dcmaM16D71.exe

Source: dcmaM16D71.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dcmaM16D71.exe	Static PE information: Section: ZLIB complexity 0.9979812956204379
Source: dcmaM16D71.exe	Static PE information: Section: mxeojzwh ZLIB complexity 0.9936875563401443
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9979812956204379
Source: RageMP131.exe.0.dr	Static PE information: Section: mxeojzwh ZLIB complexity 0.9936875563401443
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9979812956204379
Source: MPGPH131.exe.0.dr	Static PE information: Section: mxeojzwh ZLIB complexity 0.9936875563401443

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/1

Source: C:\Users\user\Desktop\dcmaM16D71.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03

Source: C:\Users\user\Desktop\dcmaM16D71.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: dcmaM16D71.exe, 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, dcmaM16D71.exe, 00000000.00000003.1724860101.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1802109842.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1802231508.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1861832555.0000000005440000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1943556052.0000000005620000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: dcmaM16D71.exe, 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, dcmaM16D71.exe, 00000000.00000003.1724860101.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1802109842.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1802231508.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1861832555.0000000005440000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1943556052.0000000005620000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: dcmaM16D71.exe	ReversingLabs: Detection: 91%
Source: dcmaM16D71.exe	Virustotal: Detection: 77%

Source: dcmaM16D71.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: dcmaM16D71.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\dcmaM16D71.exe

File read: C:\Users\user\Desktop\dcmaM16D71.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\dcmaM16D71.exe "C:\Users\user\Desktop\dcmaM16D71.exe"
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: dcmaM16D71.exe

Static file information: File size 2425344 > 1048576

Source: dcmaM16D71.exe

Static PE information: Raw size of mxeojzwh is bigger than: 0x100000 < 0x1a0000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Unpacked PE file: 0.2.dcmaM16D71.exe.1c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 7.2.RageMP131.exe.d20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 11.2.RageMP131.exe.d20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mxeojzwh:EW;qbrinonr:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x25f7bf should be: 0x25288c
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x25f7bf should be: 0x25288c
Source: dcmaM16D71.exe	Static PE information: real checksum: 0x25f7bf should be: 0x25288c

Source: dcmaM16D71.exe	Static PE information: section name:
Source: dcmaM16D71.exe	Static PE information: section name: .idata
Source: dcmaM16D71.exe	Static PE information: section name:
Source: dcmaM16D71.exe	Static PE information: section name: mxeojzwh
Source: dcmaM16D71.exe	Static PE information: section name: qbrinonr
Source: dcmaM16D71.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: mxeojzwh
Source: RageMP131.exe.0.dr	Static PE information: section name: qbrinonr
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: mxeojzwh
Source: MPGPH131.exe.0.dr	Static PE information: section name: qbrinonr
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Code function: 0_2_001F3F59 push ecx; ret	0_2_001F3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002A3F59 push ecx; ret	5_2_002A3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_002A3F59 push ecx; ret	6_2_002A3F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00D53F59 push ecx; ret	7_2_00D53F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 11_2_00D53F59 push ecx; ret	11_2_00D53F6C

Source: dcmaM16D71.exe	Static PE information: section name: entropy: 7.977718228075335
Source: dcmaM16D71.exe	Static PE information: section name: mxeojzwh entropy: 7.953657351690101
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.977718228075335
Source: RageMP131.exe.0.dr	Static PE information: section name: mxeojzwh entropy: 7.953657351690101
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.977718228075335
Source: MPGPH131.exe.0.dr	Static PE information: section name: mxeojzwh entropy: 7.953657351690101

Source: C:\Users\user\Desktop\dcmaM16D71.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\dcmaM16D71.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\dcmaM16D71.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-16321
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_5-17260
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\dcmaM16D71.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 350CEF second address: 350CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4C5A4E second address: 4C5A60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F17510C2656h 0x0000000a popad 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4C5A60 second address: 4C5A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CACA9 second address: 4CACB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jnc 00007F17510C2656h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CAF6A second address: 4CAF70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB0FB second address: 4CB105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB23B second address: 4CB26A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F17510BF1BDh 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F17510BF1C1h 0x00000016 pushad 0x00000017 popad 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB26A second address: 4CB278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB278 second address: 4CB281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB52C second address: 4CB542 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F17510C265Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB542 second address: 4CB575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17510BF1C9h 0x00000008 jmp 00007F17510BF1C1h 0x0000000d push eax 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB575 second address: 4CB58C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C2661h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB58C second address: 4CB599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB599 second address: 4CB5B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F17510C265Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007F17510C2656h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB5B6 second address: 4CB5C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F17510BF1B6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB5C1 second address: 4CB5C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CB5C9 second address: 4CB5D6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDBB5 second address: 4CDBC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDBC0 second address: 4CDBDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDBDB second address: 4CDC81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnc 00007F17510C2662h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 ja 00007F17510C2671h 0x0000001b pop eax 0x0000001c clc 0x0000001d jmp 00007F17510C265Ch 0x00000022 push 00000003h 0x00000024 call 00007F17510C265Ch 0x00000029 ja 00007F17510C265Ah 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ecx 0x00000035 call 00007F17510C2658h 0x0000003a pop ecx 0x0000003b mov dword ptr [esp+04h], ecx 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc ecx 0x00000048 push ecx 0x00000049 ret 0x0000004a pop ecx 0x0000004b ret 0x0000004c push 00000003h 0x0000004e call 00007F17510C2659h 0x00000053 jc 00007F17510C2668h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDC81 second address: 4CDC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDC85 second address: 4CDCF6 instructions: 0x00000000 rdtsc 0x00000002 js 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F17510C265Ch 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b pushad 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 jmp 00007F17510C265Ch 0x00000027 popad 0x00000028 mov eax, dword ptr [eax] 0x0000002a jmp 00007F17510C265Bh 0x0000002f mov dword ptr [esp+04h], eax 0x00000033 jl 00007F17510C265Ah 0x00000039 push eax 0x0000003a push ebx 0x0000003b pop ebx 0x0000003c pop eax 0x0000003d pop eax 0x0000003e mov ecx, dword ptr [ebp+122D3BFDh] 0x00000044 lea ebx, dword ptr [ebp+124509DFh] 0x0000004a xor edi, 22B2457Fh 0x00000050 push eax 0x00000051 pushad 0x00000052 pushad 0x00000053 jno 00007F17510C2656h 0x00000059 jne 00007F17510C2656h 0x0000005f popad 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDCF6 second address: 4CDCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDD6A second address: 4CDD70 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDEC9 second address: 4CDECD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CDECD second address: 4CDF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 xor dword ptr [esp], 4B1FC5EDh 0x0000000e mov edi, ebx 0x00000010 push 00000003h 0x00000012 mov dword ptr [ebp+122D196Bh], ebx 0x00000018 push 00000000h 0x0000001a jmp 00007F17510C2669h 0x0000001f push 00000003h 0x00000021 adc si, B638h 0x00000026 push D55A4F32h 0x0000002b push esi 0x0000002c jmp 00007F17510C2668h 0x00000031 pop esi 0x00000032 xor dword ptr [esp], 155A4F32h 0x00000039 mov dword ptr [ebp+122D595Ah], edi 0x0000003f lea ebx, dword ptr [ebp+124509F3h] 0x00000045 push 00000000h 0x00000047 push ecx 0x00000048 call 00007F17510C2658h 0x0000004d pop ecx 0x0000004e mov dword ptr [esp+04h], ecx 0x00000052 add dword ptr [esp+04h], 00000014h 0x0000005a inc ecx 0x0000005b push ecx 0x0000005c ret 0x0000005d pop ecx 0x0000005e ret 0x0000005f xchg eax, ebx 0x00000060 jmp 00007F17510C2665h 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 push ecx 0x00000069 jng 00007F17510C2656h 0x0000006f pop ecx 0x00000070 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EEBAE second address: 4EEBB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EEBB2 second address: 4EEBB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ECBFD second address: 4ECC01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ECC01 second address: 4ECC5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F17510C2656h 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F17510C2666h 0x00000014 ja 00007F17510C2656h 0x0000001a popad 0x0000001b pushad 0x0000001c jbe 00007F17510C2656h 0x00000022 jmp 00007F17510C2664h 0x00000027 popad 0x00000028 jmp 00007F17510C265Ah 0x0000002d popad 0x0000002e pushad 0x0000002f jbe 00007F17510C265Eh 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ECF67 second address: 4ECF6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED10F second address: 4ED11F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F17510C2656h 0x0000000a jno 00007F17510C2656h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED11F second address: 4ED14B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BCh 0x00000007 jmp 00007F17510BF1C5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED14B second address: 4ED15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jmp 00007F17510C265Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED483 second address: 4ED487 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED603 second address: 4ED614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C265Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED77A second address: 4ED79B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C3h 0x00000009 pop ecx 0x0000000a pushad 0x0000000b jnp 00007F17510BF1B6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4ED79B second address: 4ED7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EDD08 second address: 4EDD0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE2BF second address: 4EE2D3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F17510C2656h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007F17510C2662h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE2D3 second address: 4EE2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F17510BF1B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE48A second address: 4EE494 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE494 second address: 4EE49A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE49A second address: 4EE4A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F17510C2656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE724 second address: 4EE732 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F17510BF1BCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE9F4 second address: 4EE9FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4EE9FE second address: 4EEA28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007F17510BF1B6h 0x00000010 jmp 00007F17510BF1C9h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4F1B47 second address: 4F1B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4F44C0 second address: 4F44EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F17510BF1B6h 0x0000000a jmp 00007F17510BF1C8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 pop eax 0x00000013 push ecx 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FA121 second address: 4FA127 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FA127 second address: 4FA136 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4C3F7F second address: 4C3F8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F17510C2656h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4F9E39 second address: 4F9E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4F9FB3 second address: 4F9FBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC09C second address: 4FC0A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC120 second address: 4FC124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC124 second address: 4FC16D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c push edi 0x0000000d jng 00007F17510BF1B6h 0x00000013 pop edi 0x00000014 pop edi 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F17510BF1BAh 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 jmp 00007F17510BF1C1h 0x00000028 jmp 00007F17510BF1BFh 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC16D second address: 4FC1A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 700B53F8h 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F17510C2661h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC1A4 second address: 4FC1A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC31C second address: 4FC322 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC520 second address: 4FC534 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC5F3 second address: 4FC60D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F17510C265Ch 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC60D second address: 4FC612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FC612 second address: 4FC618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FCCD1 second address: 4FCCD6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FCE76 second address: 4FCE7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FD148 second address: 4FD15A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007F17510BF1BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FE17F second address: 4FE194 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F17510C265Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FDFFD second address: 4FE007 instructions: 0x00000000 rdtsc 0x00000002 js 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FE194 second address: 4FE200 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 js 00007F17510C2656h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov si, 39FAh 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F17510C2658h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f mov dword ptr [ebp+1245F297h], ecx 0x00000035 push 00000000h 0x00000037 jng 00007F17510C2673h 0x0000003d jnp 00007F17510C266Dh 0x00000043 call 00007F17510C2666h 0x00000048 pop esi 0x00000049 mov si, 8AB1h 0x0000004d xchg eax, ebx 0x0000004e push edi 0x0000004f push eax 0x00000050 push edx 0x00000051 push edx 0x00000052 pop edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FE007 second address: 4FE021 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FE200 second address: 4FE21C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b js 00007F17510C2664h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FE21C second address: 4FE220 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FF2A3 second address: 4FF2AD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FF2AD second address: 4FF2B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FF2B3 second address: 4FF321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2668h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push eax 0x0000000f jc 00007F17510C265Ch 0x00000015 jg 00007F17510C2656h 0x0000001b pop esi 0x0000001c push 00000000h 0x0000001e movzx esi, si 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edx 0x00000026 call 00007F17510C2658h 0x0000002b pop edx 0x0000002c mov dword ptr [esp+04h], edx 0x00000030 add dword ptr [esp+04h], 0000001Dh 0x00000038 inc edx 0x00000039 push edx 0x0000003a ret 0x0000003b pop edx 0x0000003c ret 0x0000003d mov si, DEC1h 0x00000041 xchg eax, ebx 0x00000042 push eax 0x00000043 push edx 0x00000044 jnp 00007F17510C265Ch 0x0000004a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FF321 second address: 4FF327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FF327 second address: 4FF32B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FF32B second address: 4FF34B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jmp 00007F17510BF1C3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 501916 second address: 50191E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 501ED2 second address: 501ED7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 501ED7 second address: 501F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007F17510C265Fh 0x0000000d nop 0x0000000e mov dword ptr [ebp+122D1929h], edx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007F17510C2658h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 jmp 00007F17510C265Dh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F17510C2658h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000015h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 xchg eax, ebx 0x00000052 push ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 jne 00007F17510C2656h 0x0000005b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 505368 second address: 50536E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 507943 second address: 507948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 507948 second address: 5079A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c add dword ptr [ebp+122D1DDAh], edi 0x00000012 mov edi, 0FF04D6Dh 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F17510BF1B8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 sbb ebx, 0C14193Eh 0x00000039 push 00000000h 0x0000003b xchg eax, esi 0x0000003c jg 00007F17510BF1C4h 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5079A2 second address: 5079A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 505AD9 second address: 505AE3 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F17510BF1BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 506B52 second address: 506B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 508C35 second address: 508C39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 505AE3 second address: 505AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F17510C265Ah 0x0000000d jl 00007F17510C265Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 509CB7 second address: 509CC9 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F17510BF1B6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 507B27 second address: 507B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50BA5E second address: 50BA64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50BA64 second address: 50BA77 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17510C2658h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50BA77 second address: 50BA7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50BA7D second address: 50BA81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50BA81 second address: 50BA85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50BDBB second address: 50BDD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jno 00007F17510C2658h 0x0000000f js 00007F17510C265Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50CD82 second address: 50CE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push esi 0x00000008 pushad 0x00000009 jmp 00007F17510BF1BEh 0x0000000e jns 00007F17510BF1B6h 0x00000014 popad 0x00000015 pop esi 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007F17510BF1B8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 pushad 0x00000032 jmp 00007F17510BF1C6h 0x00000037 mov edx, dword ptr [ebp+124796ADh] 0x0000003d popad 0x0000003e push dword ptr fs:[00000000h] 0x00000045 mov ebx, dword ptr [ebp+122D394Dh] 0x0000004b mov dword ptr fs:[00000000h], esp 0x00000052 mov edi, esi 0x00000054 mov eax, dword ptr [ebp+122D1755h] 0x0000005a mov edi, edx 0x0000005c push FFFFFFFFh 0x0000005e call 00007F17510BF1BCh 0x00000063 call 00007F17510BF1BEh 0x00000068 mov dword ptr [ebp+122D323Dh], esi 0x0000006e pop edi 0x0000006f pop edi 0x00000070 nop 0x00000071 push eax 0x00000072 push edx 0x00000073 jmp 00007F17510BF1BCh 0x00000078 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50EDA4 second address: 50EDB2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50CE30 second address: 50CE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 511C35 second address: 511C42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 511C42 second address: 511C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 511C56 second address: 511C5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 512CDF second address: 512CE9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 512CE9 second address: 512D0A instructions: 0x00000000 rdtsc 0x00000002 jl 00007F17510C2658h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jo 00007F17510C2669h 0x00000011 pushad 0x00000012 jmp 00007F17510C265Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50F027 second address: 50F040 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50F040 second address: 50F050 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17510C265Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 510DE0 second address: 510DE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 510DE6 second address: 510E57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c sub edi, 19D66CC4h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 clc 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov dword ptr [ebp+1245BB12h], esi 0x00000027 xor dword ptr [ebp+122D2F80h], edx 0x0000002d mov eax, dword ptr [ebp+122D0281h] 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007F17510C2658h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d push FFFFFFFFh 0x0000004f or edi, 5A427127h 0x00000055 add dword ptr [ebp+122D26EDh], ebx 0x0000005b nop 0x0000005c push eax 0x0000005d push edx 0x0000005e pushad 0x0000005f push ebx 0x00000060 pop ebx 0x00000061 push edx 0x00000062 pop edx 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50DEB2 second address: 50DEB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 50DEB8 second address: 50DED7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17510C2661h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 513B8E second address: 513B92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 513B92 second address: 513BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d call 00007F17510C2669h 0x00000012 mov ebx, dword ptr [ebp+122D3C25h] 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b mov bl, EEh 0x0000001d push 00000000h 0x0000001f add ebx, dword ptr [ebp+122D1869h] 0x00000025 xchg eax, esi 0x00000026 jbe 00007F17510C2660h 0x0000002c push eax 0x0000002d push edx 0x0000002e push esi 0x0000002f pop esi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 511E5E second address: 511E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F17510BF1B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 513E13 second address: 513E19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 513E19 second address: 513E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 517E7F second address: 517EBF instructions: 0x00000000 rdtsc 0x00000002 ja 00007F17510C2682h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c js 00007F17510C2656h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 51CAB6 second address: 51CABC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 520040 second address: 52004A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17510C2656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B8789 second address: 4B879D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F17510BF1BEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B879D second address: 4B87B2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17510C265Eh 0x00000008 pushad 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 51F7F9 second address: 51F811 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 51F811 second address: 51F846 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jne 00007F17510C2656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F17510C2667h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F17510C265Ah 0x00000018 je 00007F17510C2656h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 521681 second address: 5216B2 instructions: 0x00000000 rdtsc 0x00000002 js 00007F17510BF1C9h 0x00000008 jmp 00007F17510BF1C3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 jmp 00007F17510BF1BAh 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5216B2 second address: 5216B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52660B second address: 526615 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 526615 second address: 526619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 526619 second address: 52661D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52661D second address: 52666E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F17510C2669h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F17510C2667h 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007F17510C265Ah 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52666E second address: 526672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 526750 second address: 526754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52C3EF second address: 52C3FD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52C3FD second address: 52C401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52C401 second address: 52C40D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17510BF1B6h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4AFFDB second address: 4AFFE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F17510C2656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52BF3D second address: 52BF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52BF41 second address: 52BF51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F17510C265Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52BF51 second address: 52BF6E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F17510BF1B8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jno 00007F17510BF1B6h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52C0B5 second address: 52C0C1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 52C0C1 second address: 52C0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 531A23 second address: 531A41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 pushad 0x0000000a jnc 00007F17510C265Ch 0x00000010 js 00007F17510C265Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 531A41 second address: 531A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 531A49 second address: 531A6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2662h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F17510C2656h 0x00000011 jnp 00007F17510C2656h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 531A6D second address: 531A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 530723 second address: 530727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 530A00 second address: 530A1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17510BF1BEh 0x00000008 jmp 00007F17510BF1BAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 530435 second address: 530440 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 530440 second address: 530444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 530444 second address: 53044C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53044C second address: 530456 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F17510BF1B6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 530456 second address: 530467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnp 00007F17510C2656h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FFBA0 second address: 4FFBA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FFBA4 second address: 4FFBA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 531221 second address: 53122A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5313A4 second address: 5313B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F17510C2656h 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5313B0 second address: 5313BA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17510BF1B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5314F0 second address: 5314F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5314F4 second address: 531511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F17510BF1C2h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 535CDA second address: 535CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536117 second address: 536131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536131 second address: 536135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53628F second address: 536298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536298 second address: 53629E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53629E second address: 5362A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5362A4 second address: 5362AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5363DC second address: 5363E6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5363E6 second address: 5363F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5363F9 second address: 536435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F17510BF1C5h 0x0000000c jo 00007F17510BF1CDh 0x00000012 jmp 00007F17510BF1C5h 0x00000017 pushad 0x00000018 popad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536435 second address: 53643B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5368CD second address: 5368D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5368D6 second address: 5368DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536A3D second address: 536A43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536A43 second address: 536A5E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007F17510C2662h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536BE0 second address: 536C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jnc 00007F17510BF1B6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F17510BF1B6h 0x00000015 jmp 00007F17510BF1C3h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536C08 second address: 536C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 536C23 second address: 536C30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F17510BF1B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 537175 second address: 53717B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 535A3A second address: 535A47 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53C150 second address: 53C156 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53C156 second address: 53C15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53C15C second address: 53C189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F17510C2661h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53C189 second address: 53C196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 jng 00007F17510BF1B6h 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53C196 second address: 53C19B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53C19B second address: 53C1A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53EDFD second address: 53EE01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53EE01 second address: 53EE2D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F17510BF1B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F17510BF1C4h 0x00000010 jmp 00007F17510BF1BBh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53EE2D second address: 53EE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c jmp 00007F17510C265Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 53EE47 second address: 53EE58 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4BF119 second address: 4BF135 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4BF135 second address: 4BF14E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543003 second address: 543017 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F17510C2656h 0x00000008 jc 00007F17510C2656h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543017 second address: 54301D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54301D second address: 54302A instructions: 0x00000000 rdtsc 0x00000002 je 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54302A second address: 54304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F17510BF1B6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17510BF1C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54304E second address: 543055 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FA9C4 second address: 4FAA03 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F17510BF1C9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d je 00007F17510BF1B6h 0x00000013 jmp 00007F17510BF1C3h 0x00000018 popad 0x00000019 pushad 0x0000001a push edx 0x0000001b pop edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FABE7 second address: 4FABEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FAFFC second address: 4FB000 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB000 second address: 4FB006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB16E second address: 4FB173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB274 second address: 4FB28D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F17510C2656h 0x0000000a popad 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jo 00007F17510C265Eh 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB28D second address: 4FB2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, dword ptr [eax] 0x00000007 jmp 00007F17510BF1C9h 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 pushad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB2B5 second address: 4FB2D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C2669h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB2D7 second address: 4FB2DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB483 second address: 4FB489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB489 second address: 4FB4AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F17510BF1C6h 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FB960 second address: 4FB976 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007F17510C2662h 0x0000000e jo 00007F17510C265Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FBA7C second address: 4FBA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FBA81 second address: 4FBA9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17510C265Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FBA9A second address: 4FBAB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54330B second address: 543327 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F17510C265Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5434B6 second address: 5434BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5434BA second address: 5434C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5434C9 second address: 5434CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5434CF second address: 5434D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54361B second address: 54361F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54361F second address: 543623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543623 second address: 543653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c pop esi 0x0000000d push edi 0x0000000e pushad 0x0000000f jnl 00007F17510BF1B6h 0x00000015 jmp 00007F17510BF1C5h 0x0000001a push edx 0x0000001b pop edx 0x0000001c popad 0x0000001d push ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543794 second address: 5437B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C2669h 0x00000009 jnc 00007F17510C2656h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 54392C second address: 543934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543934 second address: 543951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F17510C2656h 0x0000000a popad 0x0000000b pushad 0x0000000c jmp 00007F17510C265Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543AD0 second address: 543AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 jnp 00007F17510BF1B6h 0x0000000c jp 00007F17510BF1B6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543AE9 second address: 543B01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543B01 second address: 543B1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543C60 second address: 543C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 543C66 second address: 543C81 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F17510BF1BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jc 00007F17510BF1BEh 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 549D1D second address: 549D28 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 550CCF second address: 550CE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 550CE9 second address: 550CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 550E4C second address: 550E5C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F17510BF1C2h 0x00000008 jnc 00007F17510BF1B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 554217 second address: 55421F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 55421F second address: 55423E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1C9h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 55423E second address: 554242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B1AE7 second address: 4B1AEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B1AEB second address: 4B1B07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F17510C2662h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B1B07 second address: 4B1B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 559CC7 second address: 559CCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 559CCB second address: 559CCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 559CCF second address: 559CDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007F17510C2656h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 559E5A second address: 559E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 559E5E second address: 559E81 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F17510C265Ch 0x00000008 push edi 0x00000009 jo 00007F17510C2656h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edx 0x00000015 jg 00007F17510C265Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 55A250 second address: 55A27B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F17510BF1C4h 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007F17510BF1BCh 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 560A16 second address: 560A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F17510C2656h 0x0000000a popad 0x0000000b jmp 00007F17510C265Ah 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F17510C2669h 0x00000017 push ebx 0x00000018 jmp 00007F17510C2663h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 561059 second address: 561064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 561064 second address: 56106A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56106A second address: 561070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 561070 second address: 561078 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 561078 second address: 56107C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56107C second address: 5610AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F17510C2658h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jmp 00007F17510C265Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F17510C2660h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5613C4 second address: 5613CE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F17510BF1BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5613CE second address: 5613EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F17510C2666h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B35A9 second address: 4B35BC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F17510BF1B6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4B35BC second address: 4B35D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jmp 00007F17510C2660h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56AF2A second address: 56AF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56AF30 second address: 56AF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F17510C2667h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56AF52 second address: 56AF5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56AF5A second address: 56AF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F17510C2668h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56AF7C second address: 56AF9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F17510BF1C8h 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56B282 second address: 56B292 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F17510C2656h 0x00000008 ja 00007F17510C2656h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56B292 second address: 56B2A0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56B3F8 second address: 56B41A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C265Dh 0x00000009 pop ecx 0x0000000a jg 00007F17510C265Ch 0x00000010 jl 00007F17510C2656h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56B41A second address: 56B42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56B811 second address: 56B830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F17510C2667h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 56B830 second address: 56B838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5725D3 second address: 5725E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F17510C2656h 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572B6D second address: 572B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572B78 second address: 572B88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572B88 second address: 572B94 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572B94 second address: 572B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572B9A second address: 572B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572B9E second address: 572BA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 572E54 second address: 572E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5730FE second address: 573108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F17510C2656h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5733FA second address: 573419 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F17510BF1C9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 573AE8 second address: 573B00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F17510C265Eh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 573B00 second address: 573B04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 573B04 second address: 573B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 57A89D second address: 57A8C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F17510BF1BDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F17510BF1C4h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 57A8C7 second address: 57A8DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnp 00007F17510C2656h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 57A8DB second address: 57A8E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 57A2FC second address: 57A306 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F17510C2656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 57A306 second address: 57A30C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 57A30C second address: 57A331 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17510C2660h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 588026 second address: 58802A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 58802A second address: 588044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2666h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 58ED62 second address: 58ED66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 58ED66 second address: 58ED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F17510C2656h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 596050 second address: 59606C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 jmp 00007F17510BF1C1h 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 59606C second address: 596072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 596072 second address: 59607C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A77A2 second address: 5A77A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A7A80 second address: 5A7A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A7A88 second address: 5A7A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A7C23 second address: 5A7C3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A7F8E second address: 5A7F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A7F92 second address: 5A7FEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BAh 0x00000007 jnp 00007F17510BF1B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F17510BF1C7h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007F17510BF1BEh 0x0000001d push ecx 0x0000001e jmp 00007F17510BF1BEh 0x00000023 jmp 00007F17510BF1C1h 0x00000028 pop ecx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A8173 second address: 5A8180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007F17510C2656h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A8CFE second address: 5A8D02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5A8D02 second address: 5A8D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC878 second address: 5AC8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jnl 00007F17510BF1BCh 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17510BF1C1h 0x00000012 jmp 00007F17510BF1BEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC8AA second address: 5AC8AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC8AE second address: 5AC8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F17510BF1BAh 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F17510BF1C5h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC8DE second address: 5AC8E8 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC8E8 second address: 5AC8ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC8ED second address: 5AC90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C2668h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC468 second address: 5AC46C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC46C second address: 5AC472 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC472 second address: 5AC478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AC5A6 second address: 5AC5AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AE042 second address: 5AE04E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F17510BF1B6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5AE04E second address: 5AE052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5C00AC second address: 5C00B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5C00B0 second address: 5C00B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5CE5DE second address: 5CE5E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5D13EF second address: 5D13FF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F17510C2656h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5D13FF second address: 5D1403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5D111F second address: 5D1123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5F9BE8 second address: 5F9C0B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F17510BF1B6h 0x00000008 jo 00007F17510BF1B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F17510BF1BBh 0x00000017 js 00007F17510BF1B6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5F9C0B second address: 5F9C15 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F17510C2656h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5F9EBE second address: 5F9ED9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5F9ED9 second address: 5F9EDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5F9EDE second address: 5F9EE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA02D second address: 5FA033 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA033 second address: 5FA037 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA037 second address: 5FA042 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA042 second address: 5FA048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA810 second address: 5FA817 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA995 second address: 5FA999 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA999 second address: 5FA9AB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F17510C2658h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FA9AB second address: 5FA9B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F17510BF1B6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FD8A8 second address: 5FD8AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FD8AC second address: 5FD8D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F17510BF1C3h 0x00000010 jmp 00007F17510BF1BAh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FD8D5 second address: 5FD950 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jno 00007F17510C2656h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F17510C2658h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 mov dx, di 0x0000002a push 00000004h 0x0000002c add edx, dword ptr [ebp+122D186Fh] 0x00000032 call 00007F17510C2659h 0x00000037 pushad 0x00000038 ja 00007F17510C266Bh 0x0000003e push edi 0x0000003f pushad 0x00000040 popad 0x00000041 pop edi 0x00000042 popad 0x00000043 push eax 0x00000044 jmp 00007F17510C2662h 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d pushad 0x0000004e push edi 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FDC26 second address: 5FDC35 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1BBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FEF2F second address: 5FEF39 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F17510C2656h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 5FEF39 second address: 5FEF55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D20656 second address: 4D2066E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C2664h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D2066E second address: 4D20672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D20672 second address: 4D2076C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a push ecx 0x0000000b pushfd 0x0000000c jmp 00007F17510C2669h 0x00000011 sub cx, 8A36h 0x00000016 jmp 00007F17510C2661h 0x0000001b popfd 0x0000001c pop ecx 0x0000001d call 00007F17510C2661h 0x00000022 jmp 00007F17510C2660h 0x00000027 pop esi 0x00000028 popad 0x00000029 mov dword ptr [esp], ebp 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F17510C2667h 0x00000033 sbb ecx, 5E4714CEh 0x00000039 jmp 00007F17510C2669h 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007F17510C2660h 0x00000045 adc eax, 5F7F6D48h 0x0000004b jmp 00007F17510C265Bh 0x00000050 popfd 0x00000051 popad 0x00000052 mov ebp, esp 0x00000054 pushad 0x00000055 pushfd 0x00000056 jmp 00007F17510C2664h 0x0000005b and ax, 2FA8h 0x00000060 jmp 00007F17510C265Bh 0x00000065 popfd 0x00000066 movzx eax, dx 0x00000069 popad 0x0000006a pop ebp 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e mov cx, 8933h 0x00000072 mov ax, 858Fh 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D2076C second address: 4D20780 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1C0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0117 second address: 4CF013C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F17510C265Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF013C second address: 4CF0144 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0144 second address: 4CF0160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F17510C2662h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0160 second address: 4CF01B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F17510BF1C6h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushfd 0x00000016 jmp 00007F17510BF1C3h 0x0000001b xor cl, FFFFFFDEh 0x0000001e jmp 00007F17510BF1C9h 0x00000023 popfd 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF01B8 second address: 4CF0202 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2661h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 pushfd 0x00000011 jmp 00007F17510C265Fh 0x00000016 adc ch, FFFFFF9Eh 0x00000019 jmp 00007F17510C2669h 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6028D second address: 4D60293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60293 second address: 4D602A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 2507h 0x00000007 mov bx, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov di, si 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D602A9 second address: 4D602AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D602AE second address: 4D602B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D602B4 second address: 4D602B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0C93 second address: 4CE0C99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0C99 second address: 4CE0CBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 mov esi, 5B638D21h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F17510BF1C3h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0CBD second address: 4CE0CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0CC3 second address: 4CE0CC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0CC7 second address: 4CE0CEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17510C2669h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0CEF second address: 4CE0CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0CF3 second address: 4CE0CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CE0CF9 second address: 4CE0D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007F17510BF1C0h 0x00000011 push dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 call 00007F17510BF1BDh 0x0000001c pop eax 0x0000001d pushfd 0x0000001e jmp 00007F17510BF1C1h 0x00000023 sub si, DAC6h 0x00000028 jmp 00007F17510BF1C1h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50E79 second address: 4D50EA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 06EAh 0x00000007 mov cl, bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17510C2668h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50EA0 second address: 4D50EB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1BEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50EB2 second address: 4D50EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50EB6 second address: 4D50EE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F17510BF1C7h 0x0000000e mov ebp, esp 0x00000010 pushad 0x00000011 mov cl, 73h 0x00000013 push eax 0x00000014 push edx 0x00000015 mov cx, di 0x00000018 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30C4A second address: 4D30C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C2668h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30C66 second address: 4D30C7B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17510BF1BAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30C7B second address: 4D30C8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60E0D second address: 4D60E27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1C5h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF073F second address: 4CF0743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0743 second address: 4CF0749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0749 second address: 4CF0782 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2662h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F17510C2660h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F17510C265Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0782 second address: 4CF0786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0786 second address: 4CF078C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF078C second address: 4CF07A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF07A3 second address: 4CF07A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF07A7 second address: 4CF07AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60025 second address: 4D6002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6002B second address: 4D6002F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6002F second address: 4D60033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60033 second address: 4D6006D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F17510BF1C7h 0x00000010 jmp 00007F17510BF1C3h 0x00000015 popfd 0x00000016 push eax 0x00000017 push edx 0x00000018 mov ebx, esi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D604CB second address: 4D604DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D604DD second address: 4D604F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D604F5 second address: 4D60510 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2667h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60510 second address: 4D60516 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60516 second address: 4D6051A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6051A second address: 4D60555 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F17510BF1C9h 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F17510BF1BDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60555 second address: 4D6055B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6055B second address: 4D6055F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6055F second address: 4D6057E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17510C2661h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D6057E second address: 4D60593 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D60593 second address: 4D605A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D605A3 second address: 4D605A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D605A7 second address: 4D605B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D605B8 second address: 4D605BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D605BC second address: 4D605C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D605C2 second address: 4D605C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D605C8 second address: 4D605CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30B5C second address: 4D30B74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1C4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30B74 second address: 4D30BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 2DAD004Bh 0x00000012 mov eax, 6DC95627h 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F17510C2668h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70024 second address: 4D7006C instructions: 0x00000000 rdtsc 0x00000002 mov si, 862Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov al, 56h 0x0000000a popad 0x0000000b push esi 0x0000000c jmp 00007F17510BF1BCh 0x00000011 mov dword ptr [esp], ebp 0x00000014 pushad 0x00000015 mov ax, 8AEDh 0x00000019 pushfd 0x0000001a jmp 00007F17510BF1BAh 0x0000001f sbb cx, 7A88h 0x00000024 jmp 00007F17510BF1BBh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 mov eax, 291803CDh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D107F6 second address: 4D108B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007F17510C2661h 0x0000000b mov esi, 56FF1A77h 0x00000010 pop esi 0x00000011 popad 0x00000012 push esi 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F17510C2666h 0x0000001a xor ax, 5998h 0x0000001f jmp 00007F17510C265Bh 0x00000024 popfd 0x00000025 push ecx 0x00000026 pushfd 0x00000027 jmp 00007F17510C265Fh 0x0000002c and ax, 6A5Eh 0x00000031 jmp 00007F17510C2669h 0x00000036 popfd 0x00000037 pop esi 0x00000038 popad 0x00000039 mov dword ptr [esp], ebp 0x0000003c pushad 0x0000003d call 00007F17510C265Dh 0x00000042 jmp 00007F17510C2660h 0x00000047 pop esi 0x00000048 mov ecx, edx 0x0000004a popad 0x0000004b mov ebp, esp 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov si, EE15h 0x00000054 jmp 00007F17510C2662h 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D108B1 second address: 4D108C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 push edi 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebp 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70BDF second address: 4D70BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70BE5 second address: 4D70BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70BE9 second address: 4D70BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70BED second address: 4D70C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17510BF1BDh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70C05 second address: 4D70C15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70C15 second address: 4D70C19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70C19 second address: 4D70C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 pushad 0x0000000a mov cx, bx 0x0000000d pushfd 0x0000000e jmp 00007F17510C2669h 0x00000013 add cx, 1CF6h 0x00000018 jmp 00007F17510C2661h 0x0000001d popfd 0x0000001e popad 0x0000001f mov eax, dword ptr [76FB65FCh] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70C63 second address: 4D70C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70C67 second address: 4D70C7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70C7A second address: 4D70CA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17510BF1BDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70CA8 second address: 4D70CAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70CAE second address: 4D70CB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70CB2 second address: 4D70CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F17C3285302h 0x0000000e jmp 00007F17510C265Fh 0x00000013 mov ecx, eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F17510C2665h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70CE8 second address: 4D70CEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70CEE second address: 4D70CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70CF2 second address: 4D70D07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bh, 7Fh 0x00000010 mov cx, 7EB9h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70D07 second address: 4D70D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70D0D second address: 4D70D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70D11 second address: 4D70D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 1Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17510C265Fh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D70D2F second address: 4D70D4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30007 second address: 4D3000D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3000D second address: 4D30012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30012 second address: 4D3004E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, cx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007F17510C2668h 0x00000013 jmp 00007F17510C2665h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3004E second address: 4D30052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30052 second address: 4D30075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 call 00007F17510C265Ah 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov cx, di 0x00000018 mov ebx, 4A800EDCh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30075 second address: 4D300D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F17510BF1C0h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F17510BF1C0h 0x00000016 and esp, FFFFFFF8h 0x00000019 pushad 0x0000001a push ecx 0x0000001b mov ecx, edi 0x0000001d pop edi 0x0000001e mov cx, 25A5h 0x00000022 popad 0x00000023 xchg eax, ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F17510BF1C7h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D300D5 second address: 4D30182 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17510C2667h 0x00000011 sub si, A3DEh 0x00000016 jmp 00007F17510C2669h 0x0000001b popfd 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F17510C265Eh 0x00000023 adc ax, 8BD8h 0x00000028 jmp 00007F17510C265Bh 0x0000002d popfd 0x0000002e pushfd 0x0000002f jmp 00007F17510C2668h 0x00000034 sbb ecx, 5294D638h 0x0000003a jmp 00007F17510C265Bh 0x0000003f popfd 0x00000040 popad 0x00000041 popad 0x00000042 xchg eax, ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 mov esi, edx 0x00000048 mov ecx, edi 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30182 second address: 4D30195 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1BFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30195 second address: 4D301BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C2669h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D301BB second address: 4D301BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D301BF second address: 4D301C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D301C3 second address: 4D301C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D301C9 second address: 4D301DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C2661h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D301DE second address: 4D3021F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushfd 0x00000010 jmp 00007F17510BF1BDh 0x00000015 and ecx, 666888F6h 0x0000001b jmp 00007F17510BF1C1h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3021F second address: 4D3024C instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F17510C2660h 0x00000008 sbb cx, 9A18h 0x0000000d jmp 00007F17510C265Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 mov eax, 47A96665h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3024C second address: 4D3025C instructions: 0x00000000 rdtsc 0x00000002 mov cx, 03E1h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3025C second address: 4D30262 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30262 second address: 4D3027F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3027F second address: 4D30285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30285 second address: 4D3028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3028B second address: 4D302D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F17510C2660h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov cx, bx 0x00000016 mov dx, A750h 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c pushad 0x0000001d mov ecx, edi 0x0000001f jmp 00007F17510C2661h 0x00000024 popad 0x00000025 mov esi, dword ptr [ebp+08h] 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D302D9 second address: 4D302EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D302EC second address: 4D30329 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F17510C265Fh 0x00000008 pop esi 0x00000009 mov ebx, 506B713Ch 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push esp 0x00000012 jmp 00007F17510C2660h 0x00000017 mov dword ptr [esp], edi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F17510C265Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D30329 second address: 4D3032F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3032F second address: 4D3039C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F17510C265Ch 0x00000009 adc eax, 539DF2B8h 0x0000000f jmp 00007F17510C265Bh 0x00000014 popfd 0x00000015 jmp 00007F17510C2668h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d test esi, esi 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushad 0x00000023 popad 0x00000024 pushfd 0x00000025 jmp 00007F17510C2663h 0x0000002a jmp 00007F17510C2663h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3039C second address: 4D303A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D303A2 second address: 4D3041C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F17C32C08C1h 0x0000000e pushad 0x0000000f mov bl, 4Ah 0x00000011 pushad 0x00000012 mov al, 18h 0x00000014 pushfd 0x00000015 jmp 00007F17510C2661h 0x0000001a sbb esi, 2C9A92C6h 0x00000020 jmp 00007F17510C2661h 0x00000025 popfd 0x00000026 popad 0x00000027 popad 0x00000028 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002f pushad 0x00000030 movzx esi, bx 0x00000033 jmp 00007F17510C2669h 0x00000038 popad 0x00000039 je 00007F17C32C087Ah 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007F17510C265Dh 0x00000046 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D3041C second address: 4D30491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F17510BF1BEh 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F17510BF1BEh 0x0000001b or esi, 18FEFB58h 0x00000021 jmp 00007F17510BF1BBh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007F17510BF1C6h 0x0000002f add cx, 05B8h 0x00000034 jmp 00007F17510BF1BBh 0x00000039 popfd 0x0000003a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D503D0 second address: 4D503F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17510C2665h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D503F8 second address: 4D50408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50408 second address: 4D50433 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F17510C2665h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50433 second address: 4D50439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50439 second address: 4D50464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007F17510C2662h 0x0000000f mov ah, 9Fh 0x00000011 popad 0x00000012 mov dword ptr [esp], ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov edi, ecx 0x0000001a mov dx, si 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50464 second address: 4D50469 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50469 second address: 4D50515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C2663h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, esi 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F17510C2664h 0x00000014 or si, F3B8h 0x00000019 jmp 00007F17510C265Bh 0x0000001e popfd 0x0000001f pushad 0x00000020 jmp 00007F17510C2666h 0x00000025 pushfd 0x00000026 jmp 00007F17510C2662h 0x0000002b sub ch, 00000048h 0x0000002e jmp 00007F17510C265Bh 0x00000033 popfd 0x00000034 popad 0x00000035 popad 0x00000036 push eax 0x00000037 jmp 00007F17510C2669h 0x0000003c xchg eax, esi 0x0000003d pushad 0x0000003e pushad 0x0000003f mov ebx, ecx 0x00000041 push esi 0x00000042 pop ebx 0x00000043 popad 0x00000044 mov ah, A6h 0x00000046 popad 0x00000047 mov esi, dword ptr [ebp+08h] 0x0000004a pushad 0x0000004b mov ecx, edx 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50515 second address: 4D50536 instructions: 0x00000000 rdtsc 0x00000002 mov bh, BBh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 sub ebx, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F17510BF1C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50536 second address: 4D5053C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D5053C second address: 4D50540 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50540 second address: 4D505B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F17510C265Fh 0x00000011 jmp 00007F17510C2663h 0x00000016 popfd 0x00000017 pushfd 0x00000018 jmp 00007F17510C2668h 0x0000001d add eax, 533B7928h 0x00000023 jmp 00007F17510C265Bh 0x00000028 popfd 0x00000029 popad 0x0000002a je 00007F17C3298449h 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007F17510C2665h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D505B8 second address: 4D505C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1BCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D505C8 second address: 4D506A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 jmp 00007F17510C2666h 0x00000017 mov ecx, esi 0x00000019 pushad 0x0000001a push ecx 0x0000001b mov di, 1B30h 0x0000001f pop ebx 0x00000020 call 00007F17510C2666h 0x00000025 pushfd 0x00000026 jmp 00007F17510C2662h 0x0000002b xor cx, 62A8h 0x00000030 jmp 00007F17510C265Bh 0x00000035 popfd 0x00000036 pop eax 0x00000037 popad 0x00000038 je 00007F17C32983BEh 0x0000003e jmp 00007F17510C265Fh 0x00000043 test byte ptr [76FB6968h], 00000002h 0x0000004a jmp 00007F17510C2666h 0x0000004f jne 00007F17C329839Fh 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 pushfd 0x00000059 jmp 00007F17510C265Dh 0x0000005e and esi, 43DE2026h 0x00000064 jmp 00007F17510C2661h 0x00000069 popfd 0x0000006a mov dx, cx 0x0000006d popad 0x0000006e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D506A0 second address: 4D506BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510BF1C8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D506BC second address: 4D506C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D506C0 second address: 4D5073A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e pushfd 0x0000000f jmp 00007F17510BF1C9h 0x00000014 add cx, 5196h 0x00000019 jmp 00007F17510BF1C1h 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F17510BF1BAh 0x00000029 sub si, 19B8h 0x0000002e jmp 00007F17510BF1BBh 0x00000033 popfd 0x00000034 popad 0x00000035 push edi 0x00000036 pop edi 0x00000037 popad 0x00000038 push eax 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F17510BF1C3h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D5073A second address: 4D5077A instructions: 0x00000000 rdtsc 0x00000002 mov cx, 6FCFh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, 105839EBh 0x0000000d popad 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F17510C265Eh 0x00000014 xchg eax, ebx 0x00000015 jmp 00007F17510C2660h 0x0000001a push eax 0x0000001b jmp 00007F17510C265Bh 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 push esi 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D5077A second address: 4D5079D instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 68A7826Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F17510BF1BAh 0x0000000e mov edx, eax 0x00000010 pop ecx 0x00000011 popad 0x00000012 push dword ptr [ebp+14h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov bx, ax 0x0000001b push eax 0x0000001c pop edi 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D5079D second address: 4D507A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D507A2 second address: 4D507C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, E0h 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F17510BF1C1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D507C1 second address: 4D507D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D507EC second address: 4D50857 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 2362FD0Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007F17510BF1BAh 0x0000000f and eax, 3EC11F28h 0x00000015 jmp 00007F17510BF1BBh 0x0000001a popfd 0x0000001b popad 0x0000001c pop esi 0x0000001d jmp 00007F17510BF1C6h 0x00000022 pop ebx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F17510BF1BDh 0x0000002c and si, 1DF6h 0x00000031 jmp 00007F17510BF1C1h 0x00000036 popfd 0x00000037 mov bx, si 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D50857 second address: 4D508A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F17510C2663h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esp, ebp 0x0000000d jmp 00007F17510C2665h 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F17510C2668h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D508A4 second address: 4D508B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D401F7 second address: 4D401FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D401FB second address: 4D40218 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D919A8 second address: 4D919AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D919AE second address: 4D919B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D919B2 second address: 4D919D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F17510C2661h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D919D0 second address: 4D919E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4FEBB9 second address: 4FEBBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF03BD second address: 4CF03C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF03C2 second address: 4CF03EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510C2665h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F17510C265Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF03EE second address: 4CF0464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F17510BF1C7h 0x00000008 pop esi 0x00000009 call 00007F17510BF1C9h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F17510BF1BCh 0x0000001a xor cl, FFFFFFD8h 0x0000001d jmp 00007F17510BF1BBh 0x00000022 popfd 0x00000023 jmp 00007F17510BF1C8h 0x00000028 popad 0x00000029 xchg eax, ebp 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0464 second address: 4CF046A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF046A second address: 4CF0470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0470 second address: 4CF0474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0474 second address: 4CF0478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0478 second address: 4CF04D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b mov edx, ecx 0x0000000d pushfd 0x0000000e jmp 00007F17510C2664h 0x00000013 or ax, DCC8h 0x00000018 jmp 00007F17510C265Bh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 jmp 00007F17510C2666h 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F17510C265Dh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF04D5 second address: 4CF04D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF04D9 second address: 4CF04DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF04DF second address: 4CF0554 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 pushfd 0x00000007 jmp 00007F17510BF1C6h 0x0000000c sbb ch, FFFFFFB8h 0x0000000f jmp 00007F17510BF1BBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ecx 0x00000019 jmp 00007F17510BF1C6h 0x0000001e and dword ptr [ebp-04h], 00000000h 0x00000022 pushad 0x00000023 mov esi, 4E0A27ADh 0x00000028 pushfd 0x00000029 jmp 00007F17510BF1BAh 0x0000002e and si, 0648h 0x00000033 jmp 00007F17510BF1BBh 0x00000038 popfd 0x00000039 popad 0x0000003a lea eax, dword ptr [ebp-04h] 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 pop edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0614 second address: 4CF0618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CF0618 second address: 4CF061E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CD0AE7 second address: 4CD0AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CD0AEB second address: 4CD0AF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CD0AF1 second address: 4CD0B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510C265Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CD0B05 second address: 4CD0B14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F17510BF1BAh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CD0B14 second address: 4CD0B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F17510C265Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4CD0B26 second address: 4CD0B79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F17510BF1BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F17510BF1C4h 0x00000013 adc cx, 2038h 0x00000018 jmp 00007F17510BF1BBh 0x0000001d popfd 0x0000001e call 00007F17510BF1C8h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\dcmaM16D71.exe	RDTSC instruction interceptor: First address: 4D8019B second address: 4D80214 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F17510C265Ah 0x00000008 sbb al, 00000018h 0x0000000b jmp 00007F17510C265Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 call 00007F17510C2668h 0x00000018 jmp 00007F17510C2662h 0x0000001d pop eax 0x0000001e popad 0x0000001f mov dword ptr [esp], ebp 0x00000022 jmp 00007F17510C2661h 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c jmp 00007F17510C2663h 0x00000031 mov edi, eax 0x00000033 popad 0x00000034 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Special instruction interceptor: First address: 350D60 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Special instruction interceptor: First address: 51CAE9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Special instruction interceptor: First address: 350CA0 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Special instruction interceptor: First address: 581FF7 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 400D60 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 5CCAE9 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 400CA0 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 631FF7 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: EB0D60 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 107CAE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: EB0CA0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 10E1FF7 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Code function: 0_2_04DA0785 rdtsc

0_2_04DA0785

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window / User API: threadDelayed 1334	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Window / User API: threadDelayed 1167	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 7729	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1179	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1186	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2494	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2519	Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-16331
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_5-17267
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 7032	Thread sleep count: 37 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 7032	Thread sleep time: -74037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 7028	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 7028	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 6920	Thread sleep count: 85 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 7008	Thread sleep count: 1334 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 7008	Thread sleep time: -2669334s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 6920	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 2416	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 6968	Thread sleep count: 1167 > 30	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe TID: 6968	Thread sleep time: -2335167s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6676	Thread sleep count: 56 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6676	Thread sleep time: -112056s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2852	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2852	Thread sleep time: -210105s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2756	Thread sleep count: 94 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1456	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1456	Thread sleep time: -124062s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2756	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6104	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6776	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6776	Thread sleep time: -144072s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7092	Thread sleep count: 7729 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7092	Thread sleep time: -15465729s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5932	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5932	Thread sleep time: -182091s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3568	Thread sleep count: 92 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3568	Thread sleep time: -184092s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2692	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2832	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2832	Thread sleep time: -182091s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2692	Thread sleep count: 237 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2936	Thread sleep count: 247 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7088	Thread sleep count: 97 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7088	Thread sleep time: -194097s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7180	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5852	Thread sleep count: 1179 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5852	Thread sleep time: -2359179s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2500	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7304	Thread sleep count: 243 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6172	Thread sleep count: 1186 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6172	Thread sleep time: -2373186s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7176	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7176	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7536	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7536	Thread sleep time: -222111s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7540	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7540	Thread sleep time: -206103s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7532	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7532	Thread sleep time: -210105s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7508	Thread sleep count: 265 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624	Thread sleep count: 257 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7544	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7544	Thread sleep time: -142071s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7520	Thread sleep count: 2494 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7520	Thread sleep time: -4990494s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7528	Thread sleep count: 2519 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7528	Thread sleep time: -5040519s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.3456587072.0000000000D8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}fJ
Source: dcmaM16D71.exe, 00000000.00000002.3456276074.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ngCommonProgramFiles=C:\Program Files (x86)\Common F
Source: RageMP131.exe, 0000000B.00000002.3456493535.00000000018A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000002.3456538284.0000000001307000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: RageMP131.exe, 0000000B.00000002.3456493535.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_87D815F4
Source: MPGPH131.exe, 00000006.00000002.3456587072.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8&{-
Source: dcmaM16D71.exe, 00000000.00000002.3456276074.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:
Source: RageMP131.exe, 0000000B.00000002.3456493535.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000B.00000002.3456493535.00000000018A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l!E
Source: RageMP131.exe, 0000000B.00000002.3456493535.00000000018A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:&
Source: MPGPH131.exe, 00000006.00000002.3456587072.0000000000DBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000007.00000002.3455376041.00000000019DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
Source: dcmaM16D71.exe, 00000000.00000002.3456276074.0000000000ED5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3456538284.0000000001314000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3456493535.00000000018AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 0000000B.00000002.3456493535.0000000001850000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000005.00000002.3456538284.0000000001307000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`c
Source: dcmaM16D71.exe, 00000000.00000003.1757121073.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*~
Source: RageMP131.exe, 00000007.00000002.3455376041.0000000001A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.3455376041.0000000001A38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}6
Source: dcmaM16D71.exe, 00000000.00000002.3456276074.0000000000EC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}bem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Wi
Source: RageMP131.exe, 00000007.00000002.3455376041.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000007.00000002.3455376041.00000000019D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}(x86)
Source: dcmaM16D71.exe, 00000000.00000003.1757121073.0000000000EE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}rm
Source: RageMP131.exe, 0000000B.00000002.3456493535.000000000187C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}b
Source: RageMP131.exe, 00000007.00000002.3455376041.00000000019DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RageMP131.exe, 00000007.00000002.3455376041.0000000001A58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},
Source: RageMP131.exe, 0000000B.00000002.3456217201.00000000016FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: MPGPH131.exe, 00000005.00000002.3456538284.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&~
Source: dcmaM16D71.exe, 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000B.00000002.3456493535.00000000018C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_87D815F41
Source: RageMP131.exe, 00000007.00000002.3455376041.0000000001A47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr

Source: C:\Users\user\Desktop\dcmaM16D71.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Code function: 0_2_04DA09CC Start: 04DA0C7A End: 04DA09E5

0_2_04DA09CC

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\dcmaM16D71.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Code function: 0_2_04DA0785 rdtsc

0_2_04DA0785

Source: RageMP131.exe, RageMP131.exe, 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\dcmaM16D71.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Code function: 0_2_001F361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_001F361D

Source: C:\Users\user\Desktop\dcmaM16D71.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: dcmaM16D71.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 3668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7504, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: dcmaM16D71.exe PID: 6916, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 3668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4924, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6024, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7504, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
dcmaM16D71.exe	92%	ReversingLabs	Win32.Trojan.RisePro
dcmaM16D71.exe	77%	Virustotal		Browse
dcmaM16D71.exe	100%	Avira	TR/Redcap.vzyra
dcmaM16D71.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	TR/Redcap.vzyra
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	TR/Redcap.vzyra
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	92%	ReversingLabs	Win32.Trojan.RisePro
C:\ProgramData\MPGPH131\MPGPH131.exe	77%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	92%	ReversingLabs	Win32.Trojan.RisePro
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	77%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://ipinfo.io/	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTV	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Virustotal		Browse
https://ipinfo.io/	0%	Virustotal		Browse
https://t.me/RiseProSUPPORT	0%	Virustotal		Browse
https://www.maxmind.com/en/locate-my-ip-address	0%	Virustotal		Browse
https://t.me/RiseProSUPPORTV	1%	Virustotal		Browse
http://www.winimage.com/zLibDll	1%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	dcmaM16D71.exe, 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, dcmaM16D71.exe, 00000000.00000003.1724860101.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1802109842.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1802231508.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1861832555.0000000005440000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1943556052.0000000005620000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	dcmaM16D71.exe, 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, dcmaM16D71.exe, 00000000.00000003.1724860101.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1802109842.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1802231508.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1861832555.0000000005440000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000B.00000003.1943556052.0000000005620000.00000004.00001000.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	dcmaM16D71.exe, 00000000.00000002.3456276074.0000000000E6E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3456538284.00000000012AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3456587072.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3455376041.00000000019DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3456493535.000000000185B000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTV	MPGPH131.exe, 00000005.00000002.3456538284.00000000012AD000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/	RageMP131.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RageMP131.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.47.126	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1515064
Start date and time:	2024-09-21 15:49:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	dcmaM16D71.exe renamed because original name is a hash value
Original Sample Name:	92af1f8423cb9b7a5f08cd752b9c68a7.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
09:51:23	API Interceptor	1615575x Sleep call for process: dcmaM16D71.exe modified
09:51:31	API Interceptor	2101855x Sleep call for process: MPGPH131.exe modified
09:51:37	API Interceptor	1749825x Sleep call for process: RageMP131.exe modified
14:50:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
14:50:59	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
14:50:59	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
14:51:06	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
147.45.47.126	file.exe	Get hash	malicious	RisePro Stealer	Browse
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse
	eIbDy5M3wa.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	5HynG1dP1V.exe	Get hash	malicious	RisePro Stealer	Browse
	YiCcqP1Ltt.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.Evo-gen.23207.8804.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	SecuriteInfo.com.Win32.Evo-gen.8431.6571.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse
	2pemMeifDu.exe	Get hash	malicious	RisePro Stealer	Browse
	jv9lMYVHh0.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	KByiiYyiam.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	B0bHdMDGIN.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	AD3SI7tuzs.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	193.233.255.84
	file.exe	Get hash	malicious	RedLine	Browse	193.233.255.84
	SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	147.45.44.131
	SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exe	Get hash	malicious	NetSupport RAT	Browse	147.45.44.131
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse	147.45.44.104

Process:	C:\Users\user\Desktop\dcmaM16D71.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2425344
Entropy (8bit):	7.965841133288666
Encrypted:	false
SSDEEP:	49152:u3cY854MKaOddKQj2u0WSlg+V7FDWSe1B6V1VXRB15:AcROeQl0Hlg+V7FWSe1B6vVX71
MD5:	92AF1F8423CB9B7A5F08CD752B9C68A7
SHA1:	A5B7DE29D25E351B1A0BC20E8861A0A44FDBE73A
SHA-256:	9C3AA1B46412046CAB893F4BD96D15AF2DC425C61C21A90755830D7F4DF39CB0
SHA-512:	7C4FF8568DF1770CB5447F0C91B549A69FDC6EAF923401AF8C5B0A5C0DFFC5FACD4D2DC5C88DCF428EB3CD4A344E0F9F8AE044D9A30A5913D620A45C5C1DB050
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 77%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....f........^...........@..........................._.......%...@.................................^...r.......4.....................^.............................T.^..............................6..@................... . ............................@....rsrc...4...........................@....idata ............................@... ..+.........................@...mxeojzwh......D.....................@...qbrinonr......^.......$.............@....taggant.0....^.."....$.............@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\dcmaM16D71.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\dcmaM16D71.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2425344
Entropy (8bit):	7.965841133288666
Encrypted:	false
SSDEEP:	49152:u3cY854MKaOddKQj2u0WSlg+V7FDWSe1B6V1VXRB15:AcROeQl0Hlg+V7FWSe1B6vVX71
MD5:	92AF1F8423CB9B7A5F08CD752B9C68A7
SHA1:	A5B7DE29D25E351B1A0BC20E8861A0A44FDBE73A
SHA-256:	9C3AA1B46412046CAB893F4BD96D15AF2DC425C61C21A90755830D7F4DF39CB0
SHA-512:	7C4FF8568DF1770CB5447F0C91B549A69FDC6EAF923401AF8C5B0A5C0DFFC5FACD4D2DC5C88DCF428EB3CD4A344E0F9F8AE044D9A30A5913D620A45C5C1DB050
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92% Antivirus: Virustotal, Detection: 77%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....f........^...........@..........................._.......%...@.................................^...r.......4.....................^.............................T.^..............................6..@................... . ............................@....rsrc...4...........................@....idata ............................@... ..+.........................@...mxeojzwh......D.....................@...qbrinonr......^.......$.............@....taggant.0....^.."....$.............@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\dcmaM16D71.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\dcmaM16D71.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.8731406795131336
Encrypted:	false
SSDEEP:	3:LDcW1Y:vni
MD5:	38C2B78E6E3909259F880E9A924B5D0E
SHA1:	B1522769B597AD921D7132EE816B09183B8974A2
SHA-256:	3645E9914E711F3E723271C1F2F1293DE6B0D4609584446F1914172B9B846758
SHA-512:	89D2F21DAEBD09B003C2E1A18CC5A21C5B3836829E1735809DF429C12D75E983D6D0EACD2F5E601C062425130648F0E29464C6ABB484405F4DB9CFFA224A7940
Malicious:	false
Preview:	1726931895512

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.965841133288666
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	dcmaM16D71.exe
File size:	2'425'344 bytes
MD5:	92af1f8423cb9b7a5f08cd752b9c68a7
SHA1:	a5b7de29d25e351b1a0bc20e8861a0a44fdbe73a
SHA256:	9c3aa1b46412046cab893f4bd96d15af2dc425c61c21a90755830d7f4df39cb0
SHA512:	7c4ff8568df1770cb5447f0c91b549a69fdc6eaf923401af8c5b0a5c0dffc5facd4d2dc5c88dcf428eb3cd4a344e0f9f8ae044d9a30a5913d620a45c5c1db050
SSDEEP:	49152:u3cY854MKaOddKQj2u0WSlg+V7FDWSe1B6V1VXRB15:AcROeQl0Hlg+V7FWSe1B6vVX71
TLSH:	7BB533199EE8F2BCD8D025F446D39F51FFF906E448C42966990D22BD26DE30EBD4892C
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x9ed000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F17513D0F1Ah
pavgb mm4, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F17513D2F15h
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
aas
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+00000080h], dh
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, 00h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax+00000000h], eax
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18c05e	0x72	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18a000	0x1934	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5ea6a4	0x10	mxeojzwh
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5ea654	0x18	mxeojzwh
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x189000	0xab400	1082fa8135051b1e2eedc39f48bc0c43	False	0.9979812956204379	data	7.977718228075335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18a000	0x1934	0x1400	e23e1552be35389ee3054aa229a72a00	False	0.97421875	data	7.8306739257506015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x18c000	0x1000	0x200	0e14477ce436cc9ebd87f17a92173639	False	0.1640625	data	1.180504109820196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x18d000	0x2bf000	0x200	841e2e8398912c7515a1e73c43b8bad4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mxeojzwh	0x44c000	0x1a0000	0x1a0000	a2601c271eea5b6802beeceadcdbbc5c	False	0.9936875563401443	data	7.953657351690101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
qbrinonr	0x5ec000	0x1000	0x400	f8acc0982b7f4066546b554fabddb9aa	False	0.787109375	data	6.127950525239502	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5ed000	0x3000	0x2200	01f92163859ab95d3f8dc41c8ed40429	False	0.07892922794117647	DOS executable (COM)	0.8771064636714784	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5ea6b4	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x5eb714	0x14	data	Russian	Russia	1.05
RT_VERSION	0x5eb728	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x5eba38	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5ebd1e	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-21T15:50:58.347014+0200	2049060	ET MALWARE RisePro TCP Heartbeat Packet	1	192.168.2.4	49730	147.45.47.126	58709	TCP
2024-09-21T15:51:01.279661+0200	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	192.168.2.4	49730	147.45.47.126	58709	TCP
2024-09-21T15:51:08.723035+0200	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	192.168.2.4	49731	147.45.47.126	58709	TCP
2024-09-21T15:51:08.723125+0200	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	192.168.2.4	49732	147.45.47.126	58709	TCP
2024-09-21T15:51:13.066855+0200	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	192.168.2.4	49733	147.45.47.126	58709	TCP
2024-09-21T15:51:21.676337+0200	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	1	192.168.2.4	49740	147.45.47.126	58709	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2024 15:50:58.258799076 CEST	49730	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:50:58.263942003 CEST	58709	49730	147.45.47.126	192.168.2.4
Sep 21, 2024 15:50:58.264065027 CEST	49730	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:50:58.347013950 CEST	49730	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:50:58.351922035 CEST	58709	49730	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:01.279660940 CEST	49730	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:01.284593105 CEST	58709	49730	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:05.713159084 CEST	49731	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:05.714031935 CEST	49732	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:05.718235970 CEST	58709	49731	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:05.718317032 CEST	49731	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:05.718822002 CEST	58709	49732	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:05.718868971 CEST	49732	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:05.776417017 CEST	49732	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:05.778399944 CEST	49731	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:05.781312943 CEST	58709	49732	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:05.783183098 CEST	58709	49731	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:08.723035097 CEST	49731	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:08.723124981 CEST	49732	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:08.728003025 CEST	58709	49731	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:08.728018999 CEST	58709	49732	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:10.062856913 CEST	49733	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:10.067910910 CEST	58709	49733	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:10.068049908 CEST	49733	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:10.101569891 CEST	49733	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:10.106492996 CEST	58709	49733	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:13.066854954 CEST	49733	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:13.079804897 CEST	58709	49733	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:18.660545111 CEST	49740	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:18.672312975 CEST	58709	49740	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:18.672574997 CEST	49740	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:18.688196898 CEST	49740	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:18.699950933 CEST	58709	49740	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:19.617198944 CEST	58709	49730	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:19.617285013 CEST	49730	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:21.676337004 CEST	49740	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:21.681585073 CEST	58709	49740	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:27.104043007 CEST	58709	49731	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:27.104206085 CEST	49731	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:27.113660097 CEST	58709	49732	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:27.113776922 CEST	49732	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:31.740155935 CEST	58709	49733	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:31.740272045 CEST	49733	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:31.741381884 CEST	58709	49733	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:31.741434097 CEST	49733	58709	192.168.2.4	147.45.47.126
Sep 21, 2024 15:51:40.098795891 CEST	58709	49740	147.45.47.126	192.168.2.4
Sep 21, 2024 15:51:40.099962950 CEST	49740	58709	192.168.2.4	147.45.47.126

Target ID:	0
Start time:	09:50:52
Start date:	21/09/2024
Path:	C:\Users\user\Desktop\dcmaM16D71.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\dcmaM16D71.exe"
Imagebase:	0x1c0000
File size:	2'425'344 bytes
MD5 hash:	92AF1F8423CB9B7A5F08CD752B9C68A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	09:50:57
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x7c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:50:57
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:50:57
Start date:	21/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x7c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:50:57
Start date:	21/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:50:59
Start date:	21/09/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x270000
File size:	2'425'344 bytes
MD5 hash:	92AF1F8423CB9B7A5F08CD752B9C68A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs Detection: 77%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:50:59
Start date:	21/09/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x270000
File size:	2'425'344 bytes
MD5 hash:	92AF1F8423CB9B7A5F08CD752B9C68A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	09:51:06
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0xd20000
File size:	2'425'344 bytes
MD5 hash:	92AF1F8423CB9B7A5F08CD752B9C68A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs Detection: 77%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	09:51:14
Start date:	21/09/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0xd20000
File size:	2'425'344 bytes
MD5 hash:	92AF1F8423CB9B7A5F08CD752B9C68A7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0.3%
Signature Coverage:	3.7%
Total number of Nodes:	1285
Total number of Limit Nodes:	21

Executed Functions

Function 04DA0785 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-3693650021
Opcode ID: 95b740b3fafa7f2301e3c79fee26d75dbfd371f4a0ab47fd04264f7983021ce1
Instruction ID: abc350ec2234a9dbce1082d8c23e00e90fa69b7a9d339741e0fc5d7e9fe1ebec
Opcode Fuzzy Hash: 95b740b3fafa7f2301e3c79fee26d75dbfd371f4a0ab47fd04264f7983021ce1
Instruction Fuzzy Hash: 5281ADEB34D121BDB10399812B54EFB676DE6C6730731882BF483D6502F394AE6E6072

Function 001C9280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0030D15C,00000000,74D723A0,-00349880), ref: 001C96C9

Strings

Ws2_32.dll, xrefs: 001C969A

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 5611a04a6341aa0ed432ea55869e2299843f004a38060fa6d9be7fddf038daea
Instruction ID: a1b1968ce830ba5cecc066fa1b88f825dec0d9aed0af114b82983334f81f8749
Opcode Fuzzy Hash: 5611a04a6341aa0ed432ea55869e2299843f004a38060fa6d9be7fddf038daea
Instruction Fuzzy Hash: 3002DC70D04298DFDF25CFA4C894BACBBB1EF69300F24428DE4856B686D7745986CB92

Function 04DA09CC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: d1ef0ed8b093013d5e4950afac060fb1d6071af6e16abdbb37d048c3f93951e6
Instruction ID: 3173c873b79e6ff0fcd0ec8b47f70ba8e2f70d6a71ce58a471b962370b0d8d87
Opcode Fuzzy Hash: d1ef0ed8b093013d5e4950afac060fb1d6071af6e16abdbb37d048c3f93951e6
Instruction Fuzzy Hash: AE518CEB34D124BDB113D9812B24EFB676DE5C6770330886BF843D2542F784AA5E6072

Function 00287B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000438,0000FFFF,00001006,?,00000008), ref: 00287BA7
recv.WS2_32(?,00000004,00000002), ref: 00287BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00287C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00287C64

Part of subcall function 00288590: WSAStartup.WS2_32 ref: 002885BA
Part of subcall function 00288590: socket.WS2_32(?,?,?,?,?,?,00349328,?,?), ref: 0028865E
Part of subcall function 00288590: connect.WS2_32(00000000,00319BFC,?,?,?,?,00349328,?,?), ref: 00288672
Part of subcall function 00288590: closesocket.WS2_32(00000000), ref: 0028867D

recv.WS2_32(00000000,?,00000008), ref: 00287D1B
recv.WS2_32(?,00000004,00000008), ref: 00287E23
__Xtime_get_ticks.LIBCPMT ref: 00287E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00287E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00287EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00287EB9

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: d853e5a55d398af6fc16b7cc9a9a00aff19d076bee7700b626dbfbc2a11b827e
Instruction ID: 95c084bd213c7845d19ff68e2dee200dae203140f683ae426dab95f22cb81120
Opcode Fuzzy Hash: d853e5a55d398af6fc16b7cc9a9a00aff19d076bee7700b626dbfbc2a11b827e
Instruction Fuzzy Hash: 46B1BB74D143089BEB11EFA8CC89BADBBB5EB55300F204259E454AF2D2D7B0AD94CB91

Function 00288590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002885BA
socket.WS2_32(?,?,?,?,?,?,00349328,?,?), ref: 0028865E
connect.WS2_32(00000000,00319BFC,?,?,?,?,00349328,?,?), ref: 00288672
closesocket.WS2_32(00000000), ref: 0028867D

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 5f2e32187835baec903bd828876a40bea2015b9558ac19890794d8de38304112
Instruction ID: 04cda77b61e652f2340f41f742281e7b86aebdaff5e3c9ea3100a580c47da04b
Opcode Fuzzy Hash: 5f2e32187835baec903bd828876a40bea2015b9558ac19890794d8de38304112
Instruction Fuzzy Hash: 463107725163115BD7209F248C4472BB7E9FFCA774F404F1AFAA8A21D0E770992487A3

Function 04DA088B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 321
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-3693650021
Opcode ID: cf7df19aac18ef3b154ff7c431035ac9e65a5e14ceb96bdf38bc9a25cc62a92a
Instruction ID: b63d089d760845cfa7a4ae7dbbbb4676cea7d09141ea8ca50d7cd0394f23ed9d
Opcode Fuzzy Hash: cf7df19aac18ef3b154ff7c431035ac9e65a5e14ceb96bdf38bc9a25cc62a92a
Instruction Fuzzy Hash: 97519DEB34D121BDB10399812B64EFAA76DE6C6730731846BF843D2506F788AE5D2072

Function 04DA0856 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 318
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: 40187780668e0348784a95d1d6acda39b02be29eb5f56e00c9916cb49271d896
Instruction ID: caf34448e9fffcf2b9469bdb50efca29275a3f44606f57af62fe7d98816dde8a
Opcode Fuzzy Hash: 40187780668e0348784a95d1d6acda39b02be29eb5f56e00c9916cb49271d896
Instruction Fuzzy Hash: 30515CEB34C125BDB10399812B64EFBA76DE6C6730731846BF943D2506F7C8AA5D2072

Function 04DA08AF Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: 721bf6de452e1fa646139f7a326ed6b6b01ba0c53ceefe0d2e4522c141324118
Instruction ID: 48e0e7c888d2b34eb07ff4bc977cfb59286df973df0562fa7a3136f6ba286887
Opcode Fuzzy Hash: 721bf6de452e1fa646139f7a326ed6b6b01ba0c53ceefe0d2e4522c141324118
Instruction Fuzzy Hash: 99517CEB34D125BDB10399812B64EFB676DE6C6B30731846BF443D1502F388AA5D2072

Function 04DA08DE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID: Z
API String ID: 0-3693650021
Opcode ID: de7cfee608a89809c65a727f77ae42fefd04a9329f139477ee2abae23cc8ca34
Instruction ID: 738d48c402838feee50634f3710c9585f6ffe74a752023623d47a037d90a9fa6
Opcode Fuzzy Hash: de7cfee608a89809c65a727f77ae42fefd04a9329f139477ee2abae23cc8ca34
Instruction Fuzzy Hash: 48515AEB34D125BCB10399812B64EFB676DE6C6B30731846BF843D1506F788AE5D2072

Function 04DA0874 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: 5f3009d80da316050204de3e7c9e34c03854cdb1e4852b24d40949f9d3927218
Instruction ID: 52b57e9b96e194e98e84541fcf13242a2670827fad556b8b4cb3de3b96f890ed
Opcode Fuzzy Hash: 5f3009d80da316050204de3e7c9e34c03854cdb1e4852b24d40949f9d3927218
Instruction Fuzzy Hash: 4F515AEB34C125BDB10399812B64EFB676DE6C6B30730846BF983D1506F788AA5D2032

Function 04DA0943 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: 338dee58f233ead10b9b62e26a8eeea8aa56d2e9a8fb22f32f5d6e142426931f
Instruction ID: 81da26d810d2df349d60a1c8bde90f042f192beae7b2f7b62833baa488967dbc
Opcode Fuzzy Hash: 338dee58f233ead10b9b62e26a8eeea8aa56d2e9a8fb22f32f5d6e142426931f
Instruction Fuzzy Hash: 5D4148EB34D125BCB11399812B64EFB676DE5D6B70331886BF843D2506F784AA5D2032

Function 04DA096A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: c103aa684cadea3f3c6b6ae6ae466649d49ea4817430fbade3bd81e663674236
Instruction ID: 9ee7e7418f71892df83a64debfa97347fccbf9a95965ce2a0246d606cf8dc66c
Opcode Fuzzy Hash: c103aa684cadea3f3c6b6ae6ae466649d49ea4817430fbade3bd81e663674236
Instruction Fuzzy Hash: DD415AEB34D125BDB11399812B64EFB676DE5C6B70330886BF843D2546F784AA5E2032

Function 04DA095D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: dc92c51d2c828c95fd8f2c00c4fd69e72f00bfb829e748f86efdb19076a85c61
Instruction ID: 2a66883a03017220ff0a5acde4bcf449a3ee02a31c4dc83387a1986b348d653f
Opcode Fuzzy Hash: dc92c51d2c828c95fd8f2c00c4fd69e72f00bfb829e748f86efdb19076a85c61
Instruction Fuzzy Hash: 5E4158EB34D125BCB113C9812B64EFBA76DE5C6B30330886BF843D2506F784AA5D2032

Function 04DA0991 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: 8dc20b4d9fecb5cd439a8d9f4f5e9d3f3647dc73675a86ac0a41d9049e971646
Instruction ID: e4663b3a6527350795260bb83f8638c43a2db77cef47185b90146fdfbf715653
Opcode Fuzzy Hash: 8dc20b4d9fecb5cd439a8d9f4f5e9d3f3647dc73675a86ac0a41d9049e971646
Instruction Fuzzy Hash: A5417CEB34D124BDB21389852F24EFB676DE5C6B30330846BF843D2546F784AA5D6032

Function 04DA0A09 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: e815fc6a15506637cb1b0ef1b309904f629cdf2c2f1e04cbb1e3a25d0da3c251
Instruction ID: f4743fd26c2ad6a63d9bb8eadb765000569bcaf508a2a7e56e2065dd717eda06
Opcode Fuzzy Hash: e815fc6a15506637cb1b0ef1b309904f629cdf2c2f1e04cbb1e3a25d0da3c251
Instruction Fuzzy Hash: 5C4149EB34D1247CB21399812B64EFB676DE5C6B70331886BF847D2506F784AA5D2072

Function 04DA09B8 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DA0A2D

Strings

Z, xrefs: 04DA0BF3

Memory Dump Source

Source File: 00000000.00000002.3462642775.0000000004DA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4da0000_dcmaM16D71.jbxd

Similarity

API ID: CurrentProfile
String ID: Z
API String ID: 2104809126-3693650021
Opcode ID: a89f29a52b166cf5321ae5a1b88cb806dd8f6bcba3eaa01e6d1035e8b689b27c
Instruction ID: abdbe5a3aa5f250d43f057218e452282d4305c5e2225aee2f05b0ba684b47c53
Opcode Fuzzy Hash: a89f29a52b166cf5321ae5a1b88cb806dd8f6bcba3eaa01e6d1035e8b689b27c
Instruction Fuzzy Hash: EA4137EB34D124BDB21389812F24EFB676DE5C6B30331886BF847D2546F784AA5D2032

Function 00209789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0020990E

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3905c7796dc9d8c797ce17f508952e74a1a07578c851cf0761614d90870e5e6f
Instruction ID: 4322bbb46d8ba6b8e4430df8386048b22bac5b563be3f681427ee04069c4c8ec
Opcode Fuzzy Hash: 3905c7796dc9d8c797ce17f508952e74a1a07578c851cf0761614d90870e5e6f
Instruction Fuzzy Hash: BA61C8B1C2421AAFDF11DFA8C880AEEBBB9AF45304F144149E901A7297D771DDA1CB60

Function 0020251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00202626,?,?,?,?,?), ref: 00202558

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e3fdc1aa2d8759e2acbb4cc78bd01ba277dd4aa88edd2ee927b5a955a00ac05c
Instruction ID: 8398c9330f6e8e47c593afd0b961caf0964f376002e69eaae656ceb35601e63a
Opcode Fuzzy Hash: e3fdc1aa2d8759e2acbb4cc78bd01ba277dd4aa88edd2ee927b5a955a00ac05c
Instruction Fuzzy Hash: 0B012632620215AFDF09CF19DC15D9E7F59DF85334B240209F800AB2E2EA71ED618BA4

Function 001C32D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 001C331F

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 8d86d23f7220c27258312bc264bb2139b00c432f7a8ea2c6f32083bedd8d8330
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 8DF0B4721001049BDB146FA4D815AF9B3F8EF34361750497EE9ADC7212EF36DA40C790

Function 0020B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,001F4B3F,?,?,74D723A0,?,?,001C3522,?,?), ref: 0020B0C7

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0b11b0c7c58e59f2d4e32dac05a2fe073af2cbfa8f0e58776eaa5afaf6cd2436
Instruction ID: 272320e3e08a78749cbc4969c8057ffe1a79a12ccf3f90b330f69a307678336e
Opcode Fuzzy Hash: 0b11b0c7c58e59f2d4e32dac05a2fe073af2cbfa8f0e58776eaa5afaf6cd2436
Instruction Fuzzy Hash: BDE092312317226AEB333A659C11B6B765F9F423A1F190221EC25A65C3EF61DC3086E5

Function 00208DFF Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00208CE6,00000000,?,0033A178,0000000C,00208DA2,?,?,?), ref: 00208E55

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: a30b638cdb076b23374e9092ba3438a5810bb2993a85d7aec7edb81f2a8355d0
Instruction ID: 4f2f2d70f0d242ec17fac4ef9abb31a7332a2d9f74c465f32864fbfdaf1ea989
Opcode Fuzzy Hash: a30b638cdb076b23374e9092ba3438a5810bb2993a85d7aec7edb81f2a8355d0
Instruction Fuzzy Hash: EA11483263132416DB252635EC41B7F67494F82738F2A0A1DFA588B1C3DEA19CB14551

Function 04DB0152 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462852494.0000000004DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4db0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1434d70773b401a1a8ef132695cdcb9adf3fee42dd6545003b7e2cb55372811
Instruction ID: 4310c314289559706f17dab62d92c3558899d18cb53da8b4014857de59c760d5
Opcode Fuzzy Hash: c1434d70773b401a1a8ef132695cdcb9adf3fee42dd6545003b7e2cb55372811
Instruction Fuzzy Hash: 3711C0F760C000FFAA079D51AA605FB3FEDE5863B4731C856F4C3CA21AE151E54696E1

Function 04DB0140 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3462852494.0000000004DB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4db0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2705e165b4d9480578f9ff511bb8ad7467085b03ee651eedcf21ad70276dc979
Instruction ID: b383e093d24d3088f00fbdac636c66e7d0280246f3526af475df51706e8ae26b
Opcode Fuzzy Hash: 2705e165b4d9480578f9ff511bb8ad7467085b03ee651eedcf21ad70276dc979
Instruction Fuzzy Hash: E4017BDB148011ACB407AD666B949FB2BEDE1C66B0331DC26F4C3C5B06E1859A8A50F0

Non-executed Functions

Function 002147BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002149D6

Strings

1#IND, xrefs: 002148C4
1#QNAN, xrefs: 002148D2
1#INF, xrefs: 002148F5
1#SNAN, xrefs: 002148CB

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: f636c04007eed239672dc9efb12cc429004d330957d63e601ec96bb92acf2355
Instruction ID: 0dc594150f7dd3368c93fde7ac005a7deb42dc1cfc01fed116f76eac0e6c4ebb
Opcode Fuzzy Hash: f636c04007eed239672dc9efb12cc429004d330957d63e601ec96bb92acf2355
Instruction Fuzzy Hash: 04D22671E286298FDB65CE28DD407EAB7F5EB94305F1441EAD40DA7240E778AED18F80

Function 001FC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: a7946ebb8717f9a5a2f0a2080181d7cfdc7d890014761bd308e3a4c31923d96f
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: FE023B71E0021D9BDF14CFA9C9806AEBBB1FF48314F258269EA19E7380D731A941DB90

Function 001F361D Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,001F3077,?,?,?,?,00287E2F), ref: 001F3655

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 309dcbb2f751d7b7342e6688b15809ee752ee6b5bb5aa5ab3c07dd6a360bc4f6
Instruction ID: 7cbed5600dfa755b303be86deefb885c5bf46036b3fa7a0297d0e8763b24a4e1
Opcode Fuzzy Hash: 309dcbb2f751d7b7342e6688b15809ee752ee6b5bb5aa5ab3c07dd6a360bc4f6
Instruction Fuzzy Hash: C2F06C36944554EFC7069F54DC00F9D77ACF749B24F004626D921D7790DF746A008E90

Function 00218BB0 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

`., xrefs: 00218C87, 00218CA0, 00218D77, 00218D93

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID: `.
API String ID: 0-1808708230
Opcode ID: 977beedbef35d94dcd22bed567e329dc830c8b7263959b0ea7cbde72c9a0b28d
Instruction ID: e942cb25d2e0fad1f15ca5b00b7a0101464bd74a726e5aa160ad20c709669656
Opcode Fuzzy Hash: 977beedbef35d94dcd22bed567e329dc830c8b7263959b0ea7cbde72c9a0b28d
Instruction Fuzzy Hash: 2481F2B4E1024A9FDB158F68D8C17FFBBF5EB2A300F44016AD9549B382CB349959C7A0

Function 002B2FD0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278fe9adefdf42a5ec8edac92cf0a87358dcef4640420414ef397005a92dab30
Instruction ID: 4a32d057145f335069137371b71cd6a92f51eacc28f3a08c297d1025160526eb
Opcode Fuzzy Hash: 278fe9adefdf42a5ec8edac92cf0a87358dcef4640420414ef397005a92dab30
Instruction Fuzzy Hash: 12625CB0E202169FDB14CF99C5846ADBBF5AF48348F2881ADD814AB342C775DA56CF90

Function 001EF580 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction ID: ed968c98337797a68b82d16a3d1972157e6785e05773b6b2c6e4a6c15b3b1918
Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction Fuzzy Hash: CCE11376E1062A9FCB05CFA9D4816ADFBF1BF88324F1942A9E854B7340D730AD45CB90

Function 0020036F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e8584a4d6b5d3747f8068c620ccbdbb7811d06a98abb5351065b7086c59d11
Instruction ID: fdc5c3007f2ac8383ed83a26970daf65a4cdd85cb1b85a3feb8fb17bb89928f6
Opcode Fuzzy Hash: 60e8584a4d6b5d3747f8068c620ccbdbb7811d06a98abb5351065b7086c59d11
Instruction Fuzzy Hash: 58C1D97092074B8FEB28CF68C8C4BBABBA5BF45300F144619DA96976D3C331AD65CB15

Function 00212610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 619408f5f7bb3310f35da1683e0af9d353d709d9cad6c64c72c35efb21ea85da
Instruction ID: e089d90df27a3e39a6692d6192221d52df45b69eb00c2d368a333525a77a947f
Opcode Fuzzy Hash: 619408f5f7bb3310f35da1683e0af9d353d709d9cad6c64c72c35efb21ea85da
Instruction Fuzzy Hash: 49B1E535520746DBDB389F24CC92AF7B3E8EF64308F14442DF942C6681EA75A9E9CB10

Function 0020DA86 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7fdd390772aeee6c87d715db5e25320fd28655c2f1c13395591b84385dd0f1c
Instruction ID: 6654fa6c09b49e26859d83c89e3c7b823b07a2d02edb2b45a9ba71d943f096d6
Opcode Fuzzy Hash: f7fdd390772aeee6c87d715db5e25320fd28655c2f1c13395591b84385dd0f1c
Instruction Fuzzy Hash: 1FB18E362217098FD715CF68C48AB657BE0FF45364F258658E899CF2E2C375E9A1CB40

Function 002AFC40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6316bc3201bd39b7f6ce1a8a9b1729b27e69c99713c7f39ab6b6e37d4737025
Instruction ID: 8eecd7e9a785f4efd49be84b1fac25f9992ca3fb7f89fa840424c9c4ae109758
Opcode Fuzzy Hash: d6316bc3201bd39b7f6ce1a8a9b1729b27e69c99713c7f39ab6b6e37d4737025
Instruction Fuzzy Hash: B26197316245658FE729CF5EECC04763B66F38A301785462EEA81CB395C535EA27C7E0

Function 001FA928 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: cea14e89ae032d5ab97d61f56a3683a3cb1f78ba1aef792c2b2e4e42ec56a203
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: A9518272D00219EFDF04CF98C940AFEBBB6FF88304F598469E555AB241D7789A50CB91

Function 001F71A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: db22b93f56604048edf0f734ff8631959753a207c314a0288beed1776416b111
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 88113D7720D08A43E7648A3DD8B46F7A795FBD532072D437AE3824BBD8D322E9499500

Function 0020BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0020BBEC

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 4cc487ff1439af0a7ace3a53eb4d02a582b09c8f82cfa0ba8a355574d3b245e5
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 64B137729203569FEB338F24CC82BEEBBA5EF55310F144156E904AB2C3D7749961CBA1

Function 001F72D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 001F7307
___except_validate_context_record.LIBVCRUNTIME ref: 001F730F
_ValidateLocalCookies.LIBCMT ref: 001F7398
__IsNonwritableInCurrentImage.LIBCMT ref: 001F73C3
_ValidateLocalCookies.LIBCMT ref: 001F7418

Strings

csm, xrefs: 001F73AD

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4364b4f5467b940377a02d82a4276d8b55fabda3dcb28f2e91a3208e6fbba785
Instruction ID: 4dd225781fe67d3b7034759c7059b032e7c4bd572986fcad638bf7ddda7dbe82
Opcode Fuzzy Hash: 4364b4f5467b940377a02d82a4276d8b55fabda3dcb28f2e91a3208e6fbba785
Instruction Fuzzy Hash: 8A41CF34A0420DAFCF10DF68C885AAEBBF5BF04314F148165EE199B392DB31EA11DB91

Function 001DA060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001DA09D
std::_Lockit::_Lockit.LIBCPMT ref: 001DA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 001DA0E7
__Getctype.LIBCPMT ref: 001DA1C5
std::_Facet_Register.LIBCPMT ref: 001DA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 001DA223

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: af797b7e2fb43ce29f9a7bc58cd677b2e2de40d72e6fca44968b7a09e63a3e57
Instruction ID: 33dc549775adbaeb30254c15ed63fcc83532d53f89417e42ae18ac4a022fe722
Opcode Fuzzy Hash: af797b7e2fb43ce29f9a7bc58cd677b2e2de40d72e6fca44968b7a09e63a3e57
Instruction Fuzzy Hash: 7E51BAB4D00249CFCB12CF98C941BAEBBF4BF15710F14825AD855AB391DB74AE44CB92

Function 001DC430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001DC45A
std::_Lockit::_Lockit.LIBCPMT ref: 001DC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 001DC4A4
std::_Facet_Register.LIBCPMT ref: 001DC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 001DC5C4

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: bba004ad7bf2d9ac3b5566742ffba7246262b782a86b81f3d403752e0e8f08f8
Instruction ID: a336f403e88ccac1bf2450389a9ebf8a19f742ea9a26765ac473ae458df5610e
Opcode Fuzzy Hash: bba004ad7bf2d9ac3b5566742ffba7246262b782a86b81f3d403752e0e8f08f8
Instruction Fuzzy Hash: 0A51EC74A0025ADFDB12CF58D850BAEBBF4FF11314F24855AE845AB380DBB5AA01CBD0

Function 001C4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001C499F

Strings

ios_base::eofbit set, xrefs: 001C4946
ios_base::failbit set, xrefs: 001C4828, 001C4941
ios_base::badbit set, xrefs: 001C4937, 001C4962

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 2b54d4fedba340e7cdff0c233aae21be55b075dcc0cb34345c47897a0fd124d3
Instruction ID: cc73b777b8642338424be1c72b06872c9f70479b4aad96efe1bc206cc304908a
Opcode Fuzzy Hash: 2b54d4fedba340e7cdff0c233aae21be55b075dcc0cb34345c47897a0fd124d3
Instruction Fuzzy Hash: 48112C729086586BC711DE589C13FAA7398D729714F04462DFA54872C1EB75E901C792

Function 001F2729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001F2730
std::_Lockit::_Lockit.LIBCPMT ref: 001F273B
std::_Lockit::~_Lockit.LIBCPMT ref: 001F27A9

Part of subcall function 001F288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001F28A4

std::locale::_Setgloballocale.LIBCPMT ref: 001F2756

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: d8ff1136c0dfffdc131c7aeb351f556a3929cb2bf4283443f28bbc94ccad1aa8
Instruction ID: c50139fba705bb7c418919e0919f2e5086b5c4ef6ec9a40687c661a59f549222
Opcode Fuzzy Hash: d8ff1136c0dfffdc131c7aeb351f556a3929cb2bf4283443f28bbc94ccad1aa8
Instruction Fuzzy Hash: AA01BC7DA006289BC70BEF20D8415BD7BA5FFA9B50B144009EA2157395CF74AE42CB82

Function 001C7350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001C750C
___std_exception_destroy.LIBVCRUNTIME ref: 001C7522

Strings

[json.exception., xrefs: 001C73A1

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 32afdd00e13889ef628507a755f6c45c3f8467bfe3c6f48e17a9d4e43fe08e0c
Instruction ID: 66071e4e48d57192b22fc967a5bde6fd1cd1c1b34a9e248cea5054862921da1b
Opcode Fuzzy Hash: 32afdd00e13889ef628507a755f6c45c3f8467bfe3c6f48e17a9d4e43fe08e0c
Instruction Fuzzy Hash: 4F51C1B1C046489FDB01DFA8C905BAEBBB4EF25314F14425DE851AB3C2D7B49A44CBE1

Function 001C47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 001C499F

Strings

ios_base::failbit set, xrefs: 001C4828
ios_base::badbit set, xrefs: 001C4937, 001C4962

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: b4e6fb0c6136c3f9aa1a04523a0e829cb18529cda164e583a3a5a871c89fe19c
Instruction ID: 8e4379e5727aee972724f8dcb55789553e70311662382761b2e2d48fe724816e
Opcode Fuzzy Hash: b4e6fb0c6136c3f9aa1a04523a0e829cb18529cda164e583a3a5a871c89fe19c
Instruction Fuzzy Hash: C54126B1C04248ABCB04DF58CC56BEEBBB8EF19710F14825DF554AB381D775AA00CBA1

Function 001C4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001C4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001C40C4

Strings

bad locale name, xrefs: 001C40E6

Memory Dump Source

Source File: 00000000.00000002.3452995684.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000000.00000002.3452807575.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3452995684.0000000000345000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454102449.000000000034A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000034D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000004D4000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005F6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.00000000005FD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3454237327.000000000060C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455566999.000000000060D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455820853.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455850718.00000000007AB000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455888488.00000000007AC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3455930351.00000000007AD000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1c0000_dcmaM16D71.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 81cb878d5f7f671cd75a05b3014f746c7baddea68c4421e23e500d5f83e6a452
Instruction ID: cdcfe3f5f1b7ee6ff7be2c9d42dd2923c5f863eaac068d487986836195f4832e
Opcode Fuzzy Hash: 81cb878d5f7f671cd75a05b3014f746c7baddea68c4421e23e500d5f83e6a452
Instruction Fuzzy Hash: 0F11E670805B84EFD721CFA8C50478BBFF4AF26714F14868DE09597B81D3B59A04C791

Analysis Process: MPGPH131.exePID: 3668, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	1828
Total number of Limit Nodes:	25

Executed Functions

Function 00337B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003F0,0000FFFF,00001006,?,00000008), ref: 00337BA7
recv.WS2_32(?,00000004,00000002), ref: 00337BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00337C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00337C64

Part of subcall function 00338590: WSAStartup.WS2_32 ref: 003385BB
Part of subcall function 00338590: socket.WS2_32(?,?,?,?,?,?,003F9328,?,?), ref: 0033865E
Part of subcall function 00338590: connect.WS2_32(00000000,003C9BFC,?,?,?,?,003F9328,?,?), ref: 00338671
Part of subcall function 00338590: closesocket.WS2_32(00000000), ref: 0033867D

recv.WS2_32(00000000,?,00000008), ref: 00337D1B
recv.WS2_32(?,00000004,00000008), ref: 00337E23
__Xtime_get_ticks.LIBCPMT ref: 00337E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00337E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00337EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00337EB9

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: 14f113aa81b4e7c886033d4d6ca81b59a8173493ab5170a4592fda14dab2fb7b
Instruction ID: 79d5830eb69932ce1b7bddb492c0f900a9758d58ec73ff338faaef2ec9fbbe9e
Opcode Fuzzy Hash: 14f113aa81b4e7c886033d4d6ca81b59a8173493ab5170a4592fda14dab2fb7b
Instruction Fuzzy Hash: 9BB1ABB0D04348DFEB22DBA8CD89BADBBB5BF45300F204259E554AB2D2D7B45D84CB91

Function 00338590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 003385BB
socket.WS2_32(?,?,?,?,?,?,003F9328,?,?), ref: 0033865E
connect.WS2_32(00000000,003C9BFC,?,?,?,?,003F9328,?,?), ref: 00338671
closesocket.WS2_32(00000000), ref: 0033867D

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 32a973d9115589d8f794e4965f7acdc38b932b3f7d10cb142f753f0f56468da0
Instruction ID: a70202a66f05c70aa626a12c30ac4a8c4570a3aeb78805a11bd364363075c3ad
Opcode Fuzzy Hash: 32a973d9115589d8f794e4965f7acdc38b932b3f7d10cb142f753f0f56468da0
Instruction Fuzzy Hash: A331F5726057005BD7218F248C85B6BB7E5EFCA734F114F1AFAA8A22D0D774990486A3

Function 00279280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,003BD15C,00000000,74D723A0,-003F9880), ref: 002796C9

Strings

Ws2_32.dll, xrefs: 0027969A

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 7cbbce373a54b8f581c6d27f73a0cd94aef6f16dee24c1a6f386610572d3f3cb
Instruction ID: d947ec1e1ae461ec64a80fce01356de9ff068c374343f5e4c19a03cb55a6e028
Opcode Fuzzy Hash: 7cbbce373a54b8f581c6d27f73a0cd94aef6f16dee24c1a6f386610572d3f3cb
Instruction Fuzzy Hash: 7902E1B0D14398DFDF25CF98C8907ADBBB0EF55314F248289E4496B286D7701986CF92

Function 05120B59 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Strings

`, xrefs: 05120BE9

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: `
API String ID: 2104809126-2679148245
Opcode ID: afcbd00c150307c315d38a3774bce0544d21aa1097ff953a785d6d2907d76780
Instruction ID: 7369367a14009c7bd50e6e48bc79ed53a78a4ecbcb8e29ece80385635642f68d
Opcode Fuzzy Hash: afcbd00c150307c315d38a3774bce0544d21aa1097ff953a785d6d2907d76780
Instruction Fuzzy Hash: 0E614AFF50C234AEA22AC1555B58AF76B6FDACB730331867BF407C6602E3950EA95131

Function 05120BC6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Strings

`, xrefs: 05120BE9

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: `
API String ID: 2104809126-2679148245
Opcode ID: 99471bc266c498a5cd55cf998ba26f086b04bb8f9970b20d8fac063174352479
Instruction ID: e93814bfaaa3ae6c3ec97637be4f0c68374fbb672af37281382c01fd95c1b294
Opcode Fuzzy Hash: 99471bc266c498a5cd55cf998ba26f086b04bb8f9970b20d8fac063174352479
Instruction Fuzzy Hash: F741E5FF20C234AEB22AC1452B58AF7676FD6CA7303328676F407D6606E3850EE91131

Function 05120987 Relevance: 1.9, APIs: 1, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c660454424f389c403eaa24826d4240eb034ce3c2c9c7674b4cdac228f31564
Instruction ID: ed6b0b07ab18d9bc167f3e3bbe756ddcf611f3ce52a91d9264731eba2ac9d050
Opcode Fuzzy Hash: 5c660454424f389c403eaa24826d4240eb034ce3c2c9c7674b4cdac228f31564
Instruction Fuzzy Hash: 2981EBFB10D134BEB22AC1456B58AF7676FD6CE730732866BF407D6602E3940EA95132

Function 05120991 Relevance: 1.9, APIs: 1, Instructions: 381
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1adcea4cc2ba1d2575c468a8115a1fad894433624707c73022e26db8e043fd3
Instruction ID: 10232dc1ff873dcfa57506a09b9b49069dd7b8b45cc27103eb3ab65fd5fc2479
Opcode Fuzzy Hash: d1adcea4cc2ba1d2575c468a8115a1fad894433624707c73022e26db8e043fd3
Instruction Fuzzy Hash: F271E8FB10D134BDB22AC1456B58AF7676FD6CE7307328667F407D6602E3940EA95131

Function 051209A4 Relevance: 1.9, APIs: 1, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ea83ffd3b51e30d8ece721e91fe2921bf33e2f73bbc22343f6d09b46b55400c2
Instruction ID: 9aa67baef5bc6f5cb531f6c976bcfaa086756387a59fdf22595f27f34d9b69af
Opcode Fuzzy Hash: ea83ffd3b51e30d8ece721e91fe2921bf33e2f73bbc22343f6d09b46b55400c2
Instruction Fuzzy Hash: 6871D8EF10D134BEB22AC1456B58AFB676FD6CE7307328667F407D6502E3940EA95131

Function 051209B6 Relevance: 1.9, APIs: 1, Instructions: 375
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0ad1193482162a73c87a3165f543d2853a01a87c50706101220241ed0fc210d6
Instruction ID: dd35ef712c3d51cc458f87d136afc5381029035bc78dd1f64bd13124a1ed6073
Opcode Fuzzy Hash: 0ad1193482162a73c87a3165f543d2853a01a87c50706101220241ed0fc210d6
Instruction Fuzzy Hash: 2371C6EF10D134BDB22AC1456B58AF7676FD6CE7307328667F407D6602E3940EA91131

Function 051209C7 Relevance: 1.9, APIs: 1, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dc913795c2686aeca4c95f53616664958c73769b9bae882e5040306023a70ba8
Instruction ID: c665f637166eecf403dc5e18c44a3d93b64d6238e5eb273ee830738d1ffa968e
Opcode Fuzzy Hash: dc913795c2686aeca4c95f53616664958c73769b9bae882e5040306023a70ba8
Instruction Fuzzy Hash: 3171D6FF10D134BEB22AC1456B58AFB676FD6CE7307328666F407D6602E3940EA95131

Function 051209E4 Relevance: 1.9, APIs: 1, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a7ed9558f91e59e1679df90c2f40c8f45fea682a5ee3b71eea52827a49f6e5d1
Instruction ID: 83860948f4c0bf5bdd5c7d96b5ce461b7e563db467bfae39e677f2dcddc17a53
Opcode Fuzzy Hash: a7ed9558f91e59e1679df90c2f40c8f45fea682a5ee3b71eea52827a49f6e5d1
Instruction Fuzzy Hash: B471D6FB10D134BEB22AC1456B58AFB676FD6CE7307328666F407D6602E3940EA91131

Function 05120A00 Relevance: 1.9, APIs: 1, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ab7202d3358aeeee40e3d110efc462f5ffb1b2a75a44eb7e19c98db555c947
Instruction ID: 57f926bdb52a2fd0e75ae3a5695f9ac189bd630ccb983d6c1aefcdbfda3e8f69
Opcode Fuzzy Hash: 37ab7202d3358aeeee40e3d110efc462f5ffb1b2a75a44eb7e19c98db555c947
Instruction Fuzzy Hash: 6071F6FB20D134BEB22AC1456B58AFB676FD6CE7307328667F407D6602E3940EA95131

Function 05120A2E Relevance: 1.8, APIs: 1, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6c6187d2533b2c7316192b49b58811b18cd784abac7f09519cbf37433903f28d
Instruction ID: 5815efdd37dc2c4f243616ba4695cf260ed1307869bb180f139f3eb6be0b7688
Opcode Fuzzy Hash: 6c6187d2533b2c7316192b49b58811b18cd784abac7f09519cbf37433903f28d
Instruction Fuzzy Hash: 8561E8FF50C134BEB22AC1456B58AF76B6FD6CE7307328A66F407D6602E3944EA91131

Function 05120A1A Relevance: 1.8, APIs: 1, Instructions: 347
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8a96e218cae7c5d78138dfa576109762fd4c92a388ca15072d604ee9d3b523ab
Instruction ID: dd11eb704315c894b902bfaabd49060162dd17930163c80d4808e97b87dca0eb
Opcode Fuzzy Hash: 8a96e218cae7c5d78138dfa576109762fd4c92a388ca15072d604ee9d3b523ab
Instruction Fuzzy Hash: 2961D6FF20C134BEB22AC1456B58AFB676FD6CE7307328666F407D6602E3944EA95131

Function 05120A76 Relevance: 1.8, APIs: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a87021c8081d31026481d4178d29bad1ccd1eba689011ef52c7b68df888abc46
Instruction ID: a64dbe0820e2da176797b6c770239dc524dc767629fe2a97977a55b61f742376
Opcode Fuzzy Hash: a87021c8081d31026481d4178d29bad1ccd1eba689011ef52c7b68df888abc46
Instruction Fuzzy Hash: DF7109FB10C234AEB22AC1456B58AF76B6FDACA7307328577F407C6602E3940EA95131

Function 05120A55 Relevance: 1.8, APIs: 1, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 235e976d7ac00c8d6009aeefa420970c08095a56912f2c02f9237f80b41d8ccc
Instruction ID: 56752758a872e9d99d10b3fa92dd2a46efb6b55a371f51b42c8419f46b1e4f72
Opcode Fuzzy Hash: 235e976d7ac00c8d6009aeefa420970c08095a56912f2c02f9237f80b41d8ccc
Instruction Fuzzy Hash: F36109FF10C234BEB22AC1456B58AF7676FD6CE7307328666F407D6602E3940EA91131

Function 05120A93 Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f969ab653bf0b362b3f767c7622ff7fc75eba00d365a177da24b2f0a0a447b09
Instruction ID: 6c34b00d8f6e850877992eed32b0afffcdf37840ed2bd7a34d29bdc73ff09a4b
Opcode Fuzzy Hash: f969ab653bf0b362b3f767c7622ff7fc75eba00d365a177da24b2f0a0a447b09
Instruction Fuzzy Hash: C6611AFB50C134AEB22AC1456B58AF76B6FDACA330731857AF407D6602D3944EA95131

Function 05120AE9 Relevance: 1.8, APIs: 1, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 12ce7e660f62905dbc5a1e76a2e44e6e120db6a7898d999dfdc87529c4982e8e
Instruction ID: df40bce63bb37aef84b3fc32f7e13ae1cce5204ac50a75a67cd5be33c3cd5126
Opcode Fuzzy Hash: 12ce7e660f62905dbc5a1e76a2e44e6e120db6a7898d999dfdc87529c4982e8e
Instruction Fuzzy Hash: C05107EF50C234BEB22AC1456B58AF76B6FE6CE7307318666F407D6602E3940EA95131

Function 05120B06 Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1bdb092ac4a0ea8b23e771ab77dfa9efc1a2ca28c1754caa5ea974db7a4d5a53
Instruction ID: e9c7f6fcbae77cd9e51b056ec224e8933aef04d010d383cc355d8a02cda71763
Opcode Fuzzy Hash: 1bdb092ac4a0ea8b23e771ab77dfa9efc1a2ca28c1754caa5ea974db7a4d5a53
Instruction Fuzzy Hash: 5B51E7EF20C134BEB22AC1856B58AF7676FD7CE7307328666F407D6602E7950EA91131

Function 05120B74 Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 643f8efe1e48572533770b6c706a05f076de8452f0566bbd9fab65e37547c353
Instruction ID: fd69a68dd8d670df0e24fed339d18dd0f879f92da1f456c02bc4757d2563b5d5
Opcode Fuzzy Hash: 643f8efe1e48572533770b6c706a05f076de8452f0566bbd9fab65e37547c353
Instruction Fuzzy Hash: 6551F9EF50C134BEB22AC1852B58AF7676FE6CE7307328667F407D6602E3950EA91131

Function 05120B32 Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 15758137bd28468b8062c8236f45e99bb33a2f263ecb94736b743d4eee0cc1f4
Instruction ID: 5b042a861eb40fdf78f53268c6e7f69da38901130ec48fba3e61cbe90fc0dd82
Opcode Fuzzy Hash: 15758137bd28468b8062c8236f45e99bb33a2f263ecb94736b743d4eee0cc1f4
Instruction Fuzzy Hash: 0951E3FF64C134BEB26AC1856B58AF7676FE6CE7303328666F407D6601E3940EA91131

Function 05120B20 Relevance: 1.8, APIs: 1, Instructions: 277COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 471dac8245715c237e5bb775f0fb77f1e27908bee5c9369a5099ae81b6de3e08
Instruction ID: b6b3f894a6759333e36d0fe4150e5c0677d0644c51ec080eda7a04da9244e6ef
Opcode Fuzzy Hash: 471dac8245715c237e5bb775f0fb77f1e27908bee5c9369a5099ae81b6de3e08
Instruction Fuzzy Hash: B651E4EF60C134BDB26AC0852B58AF7666FE7CA7307328676F40BD6601E7940EE91031

Function 05120B97 Relevance: 1.8, APIs: 1, Instructions: 276COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9ad3a04cfe81df24a8a616bdbf357ba4562ee07d71350f22e5a3969f720922af
Instruction ID: f099e9efe20fb07a9fde16fb44b1333a1b75ad49f7801577e1b045627b0d138f
Opcode Fuzzy Hash: 9ad3a04cfe81df24a8a616bdbf357ba4562ee07d71350f22e5a3969f720922af
Instruction Fuzzy Hash: D05107EF50C134BD722AC1856B58AF76A5FE6CE7303328A67F40BD6601E3944EE91031

Function 05120AE3 Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f5839461aaf96e772fd8346df685ac26ddfdc5f17ac2e95f960279cedf1a1b31
Instruction ID: b3e503ec97a035c01b17b3e006486c349432f9629b9006d72b2ef268ae03a9a2
Opcode Fuzzy Hash: f5839461aaf96e772fd8346df685ac26ddfdc5f17ac2e95f960279cedf1a1b31
Instruction Fuzzy Hash: 7151D4EF50C134BD726AC0852B58AF7666FE6CE7307328667F407D6601E3940EA91031

Function 05120C06 Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c1279ca06d3c7a2ff40e13f690e8c9d4813adaf8da27b53d375bed7b6932b2ed
Instruction ID: 6015406d3b8671df2efe2ef1acdf00bd1a028bb0e479fdadeeaa4357ee35608a
Opcode Fuzzy Hash: c1279ca06d3c7a2ff40e13f690e8c9d4813adaf8da27b53d375bed7b6932b2ed
Instruction Fuzzy Hash: 8741E9EF14D134BEB22AC1452B58AF76B6FD6CA7303328666F40BD6502D7840EE91131

Function 05120C0F Relevance: 1.7, APIs: 1, Instructions: 216COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1f39ac5b85660d8dc1c0765f2717ab880ca5967ac335296ed959dee466f6d7c5
Instruction ID: f3b3590d6e265e58b0be0b9546c9e9d81ad495d710e006e4acfb804d2376ebf6
Opcode Fuzzy Hash: 1f39ac5b85660d8dc1c0765f2717ab880ca5967ac335296ed959dee466f6d7c5
Instruction Fuzzy Hash: F941E5EF10D134BEB22AC1452B58AF76B6FD6DA7303328A77F407D6606E7840EA91131

Function 05120C3A Relevance: 1.7, APIs: 1, Instructions: 209COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b55bb3a004cf601447a9c1937b469cbce691a6379bc969f7ee2b3850465b79e5
Instruction ID: c4b5b36f779bb00bb4c2bd6d4a10a8b0fcdb2eb63c85d9a9244a004fdd64dbf7
Opcode Fuzzy Hash: b55bb3a004cf601447a9c1937b469cbce691a6379bc969f7ee2b3850465b79e5
Instruction Fuzzy Hash: EE41D5EF10D134AEB22AC1856B58AF76B6FD6CA7307328677F407D6606E7840EE91131

Function 05120CB0 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05120C6A

Memory Dump Source

Source File: 00000005.00000002.3462685148.0000000005120000.00000040.00001000.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5120000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b001a4483de140166dcc8834cc3d8d81ffd032af1b1abef336e991efafd4bf4b
Instruction ID: 6173dd140f0007ec0f22a5def8ac5fe3b53c2a0a8e0412e6d4c8018b993c9eb8
Opcode Fuzzy Hash: b001a4483de140166dcc8834cc3d8d81ffd032af1b1abef336e991efafd4bf4b
Instruction Fuzzy Hash: DB41B4EF10C134ADB22AC1852B58AF76B6FE6CA7307328666F40BD6506E7840EE91531

Function 002B9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002B990E

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 99070719ef2d93a0d84073d5d62ca4072f01224507306a20e9e34ce853210a82
Instruction ID: b2718675f68f62c82e11c92f690de0b762bf814f5fdb073358f3190e787a55d3
Opcode Fuzzy Hash: 99070719ef2d93a0d84073d5d62ca4072f01224507306a20e9e34ce853210a82
Instruction Fuzzy Hash: B861C8B1D2411ABFDF11CFA8C884EEEBFB9AF09344F140149EA00A7256D771D9A1CB60

Function 002B251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,002B2626,?,?,?,?,?), ref: 002B2558

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 56d213dbd91de9293ad3575466b4c9ec5c5aacf4fad093dafcfd666e5dc94b7e
Instruction ID: 28cc41648bdef4c2737e92d7cd6a63b5d2f2f93b2d847f29fc2976d8b4316546
Opcode Fuzzy Hash: 56d213dbd91de9293ad3575466b4c9ec5c5aacf4fad093dafcfd666e5dc94b7e
Instruction Fuzzy Hash: 6101DB32620615AFCF1D8F55DC258DE7B59DF85370F390104FC11AB1A1E671ED618B90

Function 002732D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0027331F

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 0ac005857ee6407b8a2d41b35a0a975707a6a027ac5cba7ce810bafe7a2ed3a8
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 0AF024325201019BDB28AF60E4055EAB3ECEF2436175048BBF88CC7612EF36DA609BC0

Function 002BA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,002B9FE0,00000001,00000364,00000001,00000006,000000FF,?,002A4B3F,?,?,74D723A0,?), ref: 002BA69B

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa80724fb86a737f60587e4f842d720a8a6cf01521e617fa1fd9710ae7941711
Instruction ID: d56e73f6becb651b15f7534a9c68faafa63a33a798b5cf801eab872cb1e006fd
Opcode Fuzzy Hash: fa80724fb86a737f60587e4f842d720a8a6cf01521e617fa1fd9710ae7941711
Instruction Fuzzy Hash: C3F0E9721315226A9F256E65DC01BEA374DAF417E0F1D8111EC14EB080CE30DC3089E6

Function 002BB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,002A4B3F,?,?,74D723A0,?,?,00273522,?,?), ref: 002BB0C6

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 63758fccaa53b7d7c601e5ac656ee40500893e6bfb15f8b6807af92025f41f0a
Instruction ID: 0b27abcd5bd83b549b13e4cd8bc30d64bf550bea58b72dd2972eb15100b5db86
Opcode Fuzzy Hash: 63758fccaa53b7d7c601e5ac656ee40500893e6bfb15f8b6807af92025f41f0a
Instruction Fuzzy Hash: F0E0653117162266DA333A659C11BFB764D9F413E0F550A11AC24A61D1DBE1DC3085A5

Function 002B8DFF Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002B8CE6,00000000,?,003EA178,0000000C,002B8DA2,?,?,?), ref: 002B8E55

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: bcd7e3ab3165c9db126017a0f9ceb983477c1614edbcf34d4c3153ad4c96f86f
Instruction ID: 63d03883b37eef07a3cb8f328999506f3057a08fbcade95fb7e014098ccfb278
Opcode Fuzzy Hash: bcd7e3ab3165c9db126017a0f9ceb983477c1614edbcf34d4c3153ad4c96f86f
Instruction Fuzzy Hash: 1E116B3363551016EA2936346845BFE679D4F827F4F2E0619F91C9B0D2DE70CCB1C151

Function 0513046F Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5f4dd2ab8217461c42d2ae5d7289c9be39ab3483e6936d34e211358c6073517
Instruction ID: f2fadfbef8d1b30cc385629b82ba95c90075d146955f3b9e8e5e349bae1d6170
Opcode Fuzzy Hash: e5f4dd2ab8217461c42d2ae5d7289c9be39ab3483e6936d34e211358c6073517
Instruction Fuzzy Hash: 711133BB50C210BEF355C5856B69AFB67AED7DA730B32C867F842C6102E3954E095131

Function 05130469 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a857232d736f85a66a1832c02a23902db1cb51d6d9d9c3b58379b5e9feeac741
Instruction ID: 0684471c9c76c62b901bf7c1e90bab090c7fa90db7002a762714d857c2f13c57
Opcode Fuzzy Hash: a857232d736f85a66a1832c02a23902db1cb51d6d9d9c3b58379b5e9feeac741
Instruction Fuzzy Hash: A9010CFB10C210BEB256C5866B29AFB67AED6CA730732C877F443C6102E3994E496135

Function 051304D7 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6edd114cc425a1f6cd834a3131461c0090c1572afb12f7d71ccf6eb05c3004a
Instruction ID: 78ab25f82ed3c71838a89f1ee2e6b0d3107579d2221f981ceb747e1da21770dd
Opcode Fuzzy Hash: c6edd114cc425a1f6cd834a3131461c0090c1572afb12f7d71ccf6eb05c3004a
Instruction Fuzzy Hash: 31016DEB10C110BEF259C5817B69AFA67EED7CA730732886BF442C6002E3994A4E6135

Function 0513049D Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6534f6952a8fb0bb4fb196a1629708afeb8a1db10d7793e9f3deb6de2a6bec
Instruction ID: 706b839cf8c9f0b6ef6824250eb031b047eb158a1dbd59406cf49c1c96f70d85
Opcode Fuzzy Hash: 9f6534f6952a8fb0bb4fb196a1629708afeb8a1db10d7793e9f3deb6de2a6bec
Instruction Fuzzy Hash: 96011EBB50C210FDF255C5817B69AFA67AEE6CA730732C877F442C6102E3994A4E6131

Function 051304F0 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960063879059c46c03703430b1ec710f7521893bf1a163f4eb7166ff2cb05a4c
Instruction ID: aaa72efec5d5c40e6d3d51f56207cddbde05e847c5413bfccd623bdfc4fcc95b
Opcode Fuzzy Hash: 960063879059c46c03703430b1ec710f7521893bf1a163f4eb7166ff2cb05a4c
Instruction Fuzzy Hash: 5AF074FB61C060BDB255C1923F69AFB57AEE5D5A31332C82BF802C5406E38A4B4E6131

Function 0513050B Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef81aa83b8a1d2a9460415ad40216adff102e56114c4149225e6bc01649486c8
Instruction ID: 2c55ef5b712a426a082b9458cb4be83b3a77f220504a51fbe5819f070795432e
Opcode Fuzzy Hash: ef81aa83b8a1d2a9460415ad40216adff102e56114c4149225e6bc01649486c8
Instruction Fuzzy Hash: 8AE052BB20C120ADB115C0427F2AEFB67AED1D4A31332C827F402C5406E78A4A4E2032

Function 05130537 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3462923073.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5130000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54297b136d36747cc8e45f8e49578d3d209536e4268452955553f8afdcb2002
Instruction ID: dd044284457a96c647e57bd06cf6455877fd7ba2a66f11de631f3919cc8b0b7e
Opcode Fuzzy Hash: e54297b136d36747cc8e45f8e49578d3d209536e4268452955553f8afdcb2002
Instruction Fuzzy Hash: C1E01AB760C210DEF264C5923B3EAFA37ADF6D5730332C827F002C1405D749560A5135

Non-executed Functions

Function 002AC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 80b3fa339f82122b0e9e544e827fcabe06d761cf03f4fdff635df8208b6c9988
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: FE023C71E1121A9BDF14CFA9C9807AEFBB1FF49314F24826AD919E7340DB31A951CB90

Function 0028A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0028A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0028A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0028A0E7
__Getctype.LIBCPMT ref: 0028A1C5
std::_Facet_Register.LIBCPMT ref: 0028A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0028A223

Strings

PG', xrefs: 0028A1BF
E', xrefs: 0028A1AE
PD', xrefs: 0028A19A

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD'$PG'$E'
API String ID: 1102183713-296772504
Opcode ID: 60d84625269c321870243de85b1db2f6c70b5fe39c8d606c73e0e90eee090758
Instruction ID: eff3a569e27ae02317733a737fe9287f19c6946f03623e1f42262a434fcfa0a8
Opcode Fuzzy Hash: 60d84625269c321870243de85b1db2f6c70b5fe39c8d606c73e0e90eee090758
Instruction Fuzzy Hash: 3B51CAB4D11205CFDB12DF58C845BAEBBB4BB01710F14815AE845AB391DB74AE14CB92

Function 002A72D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002A7307
___except_validate_context_record.LIBVCRUNTIME ref: 002A730F
_ValidateLocalCookies.LIBCMT ref: 002A7398
__IsNonwritableInCurrentImage.LIBCMT ref: 002A73C3
_ValidateLocalCookies.LIBCMT ref: 002A7418

Strings

csm, xrefs: 002A73AD
`-', xrefs: 002A73DC

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-'$csm
API String ID: 1170836740-83844572
Opcode ID: eb5129a1509aeb7940f5fdea42eabb246665db7eed828f8fb3404deb1bd0632f
Instruction ID: e7130925ce2521ba356c3b8b9291d5350d115f62cea08ebb7c7193a0d9533b34
Opcode Fuzzy Hash: eb5129a1509aeb7940f5fdea42eabb246665db7eed828f8fb3404deb1bd0632f
Instruction Fuzzy Hash: 7041B334A2420A9FCF10DF68CC81AAE7FB5AF46314F148195ED149B391DF31A921CF95

Function 0028C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0028C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0028C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0028C4A4
std::_Facet_Register.LIBCPMT ref: 0028C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0028C5C4

Strings

PD', xrefs: 0028C54E
E', xrefs: 0028C562

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E'$PD'
API String ID: 459529453-207005594
Opcode ID: 099c9abab4cb4a0b3a7949531a80820e266761042ad5f7d9ebeece61937255ba
Instruction ID: 04638ea25e28e67670dd8d25aa7a6da063081b823bc7dd7e8df3b0e003af22aa
Opcode Fuzzy Hash: 099c9abab4cb4a0b3a7949531a80820e266761042ad5f7d9ebeece61937255ba
Instruction Fuzzy Hash: 2E51EDB4911245DFDB12EF58C840BAEBBF4FB01314F24815DE845AB381DBB5AE04CBA0

Function 002BBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002BBBEC

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: cdc596237ba662f3ce77e08062660e67d6033201eb08cb3056a373a9ec18004e
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 8FB148729202569FDB13CF24CC81BEEBBA5EF55390F144156E944AF282D7F4E921CBA0

Function 002A2729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A2730
std::_Lockit::_Lockit.LIBCPMT ref: 002A273B
std::_Lockit::~_Lockit.LIBCPMT ref: 002A27A9

Part of subcall function 002A288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 002A28A4

std::locale::_Setgloballocale.LIBCPMT ref: 002A2756

Strings

`-', xrefs: 002A2778, 002A279C

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-'
API String ID: 677527491-850853302
Opcode ID: 9c1c91dffb11d4b22cd92066b52ef04e143a079d96b08b275b38dbe2b69bfb77
Instruction ID: d3a84ff1dd501f7cea3147f817d6d549f2981559e4c0be2a6c39d19b810baa03
Opcode Fuzzy Hash: 9c1c91dffb11d4b22cd92066b52ef04e143a079d96b08b275b38dbe2b69bfb77
Instruction Fuzzy Hash: D401B179A20111CFC70AEF24D84197D7BB5BF86750B14000AF81157391CF34AE16CF91

Function 00277350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0027750C
___std_exception_destroy.LIBVCRUNTIME ref: 00277522

Strings

[json.exception., xrefs: 002773A1
)', xrefs: 00277502, 0027751C

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )'$[json.exception.
API String ID: 4194217158-3484975215
Opcode ID: 253e77879df66892f0db02ee0fff639805cb4dc6d71a2beeb379d08c5deda496
Instruction ID: c52d74661e54674c008a959a49d2695ae2ce487d2c0002feb8a137af747c28cd
Opcode Fuzzy Hash: 253e77879df66892f0db02ee0fff639805cb4dc6d71a2beeb379d08c5deda496
Instruction Fuzzy Hash: D351F1B1C15748DFDB11DFA8C905B9EBBB4EF11314F108269E854A7382DBB85A44CBE1

Function 00274900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0027499F

Strings

ios_base::eofbit set, xrefs: 00274946
ios_base::failbit set, xrefs: 00274828, 00274941
ios_base::badbit set, xrefs: 00274937, 00274962

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 604716ef037de747dfa135c380a61004ca7c0cb3d6f9715772cdc66060f54691
Instruction ID: eadcf8f316b9aaabeb78b9665c21b7e47094956d9c1fe35f325af4cfee47fe99
Opcode Fuzzy Hash: 604716ef037de747dfa135c380a61004ca7c0cb3d6f9715772cdc66060f54691
Instruction Fuzzy Hash: D9112C73924644EBC711EE5CDC42BA77398D706710F04862AFE5C872C1EB75A9258B92

Function 002736E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273819
___std_exception_destroy.LIBVCRUNTIME ref: 002738F0

Strings

)', xrefs: 002737ED, 002738EA

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )'
API String ID: 2970364248-641774962
Opcode ID: 8996ea3b7b77475126a7e0c08eccd432abd4ee941a668fa86889af7834bf8f05
Instruction ID: 58a5256877885751e01093c811ef01a7015b09f847f7305146640162b8b519d6
Opcode Fuzzy Hash: 8996ea3b7b77475126a7e0c08eccd432abd4ee941a668fa86889af7834bf8f05
Instruction Fuzzy Hash: 1A61ABB1C01248DFDB11DF98C845BDDFBB4FF19324F14825AE818AB282D7B55A54CBA1

Function 002747F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0027499F

Strings

ios_base::failbit set, xrefs: 00274828
ios_base::badbit set, xrefs: 00274937, 00274962

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 1752f2705687943523609b8749fc7f0d92bff2e29829d02c3c42ea6421dcbdd0
Instruction ID: 15d42b873b51aa764f1ed3b13278ebe1b71469e63501a1f1ac471d2e9c3a28b2
Opcode Fuzzy Hash: 1752f2705687943523609b8749fc7f0d92bff2e29829d02c3c42ea6421dcbdd0
Instruction Fuzzy Hash: 7F4106B1D10248EFCB04EF58CC45BAEB7B8EB05710F14825EF558A7381DB755A10CBA1

Function 00274040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00274061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002740C4

Strings

bad locale name, xrefs: 002740E6

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: a9cc83db2e2213766dee099c76c83250dcceeaeb1161b38aa4111445d6b51c45
Instruction ID: 7faac44741581b92729de6deaa50b25d08920131feda2a594f5cbbb5b62b3fdc
Opcode Fuzzy Hash: a9cc83db2e2213766dee099c76c83250dcceeaeb1161b38aa4111445d6b51c45
Instruction Fuzzy Hash: 9411D370805B84EFD721CF68C50474BBFF4AF16714F14868DE0959BB81D3B95A04CBA1

Function 00286590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002865C9
___std_exception_copy.LIBVCRUNTIME ref: 002865FC

Strings

)', xrefs: 002865BA, 002865ED

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )'
API String ID: 2659868963-641774962
Opcode ID: 123be6cf39f18f8d199e1f8907df87c2684ebc01a62f92d8328519941ec621ad
Instruction ID: e2f976665c31f7f803b90caa95c2baf1acf2e14e2a92afb9d0b02c9e7bcc2375
Opcode Fuzzy Hash: 123be6cf39f18f8d199e1f8907df87c2684ebc01a62f92d8328519941ec621ad
Instruction Fuzzy Hash: DC1133B6910748EBC711DF59C980B85F7F8FF0A724F10876AF91497641E774A9448BA0

Function 00277A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00277A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00277A72

Strings

)', xrefs: 00277A52, 00277A6C

Memory Dump Source

Source File: 00000005.00000002.3452978591.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000005.00000002.3452809333.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3452978591.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454063388.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3454226179.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455564770.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455818468.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455864962.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455913213.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.3455961682.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )'
API String ID: 4194217158-641774962
Opcode ID: a42d6aa48fbe70f0ad7044525cff6f328afa84e1345691169a26e7f23dbabe79
Instruction ID: 8aaf9455f6e72a9519bef7e15fdd8e30fe2b849b97671001748982469209d337
Opcode Fuzzy Hash: a42d6aa48fbe70f0ad7044525cff6f328afa84e1345691169a26e7f23dbabe79
Instruction Fuzzy Hash: 0EF04FB1845648DFC711DF98C901B89BBF8EB06728F50066EE414A3680D7B59A048BA1

Analysis Process: MPGPH131.exePID: 4924, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.9%
Signature Coverage:	0%
Total number of Nodes:	1809
Total number of Limit Nodes:	26

Executed Functions

Function 00337B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003E0,0000FFFF,00001006,?,00000008), ref: 00337BA6
recv.WS2_32(?,00000004,00000002), ref: 00337BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00337C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00337C64

Part of subcall function 00338590: WSAStartup.WS2_32 ref: 003385BA
Part of subcall function 00338590: socket.WS2_32(?,?,?,?,?,?,003F9328,?,?), ref: 0033865D
Part of subcall function 00338590: connect.WS2_32(00000000,003C9BFC,?,?,?,?,003F9328,?,?), ref: 00338671
Part of subcall function 00338590: closesocket.WS2_32(00000000), ref: 0033867D

recv.WS2_32(00000000,?,00000008), ref: 00337D1B
recv.WS2_32(?,00000004,00000008), ref: 00337E23
__Xtime_get_ticks.LIBCPMT ref: 00337E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00337E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00337EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00337EB9

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: 07882220808ef02d25d173d0adfd1a331f33bb9ff3491f4a8c047d7119001435
Instruction ID: 6e88e2596ea480353adc92e049b3df65c15f7d898baf3cb82f0974d9b43bd8f6
Opcode Fuzzy Hash: 07882220808ef02d25d173d0adfd1a331f33bb9ff3491f4a8c047d7119001435
Instruction Fuzzy Hash: 5DB1CCB0D04308DFEB22DBA8CC89BADBBB5BF44300F204259E554AB2D2D7B45D84CB91

Function 00338590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 003385BA
socket.WS2_32(?,?,?,?,?,?,003F9328,?,?), ref: 0033865D
connect.WS2_32(00000000,003C9BFC,?,?,?,?,003F9328,?,?), ref: 00338671
closesocket.WS2_32(00000000), ref: 0033867D

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: d0ce7b0ec73892f75179ecefeaeb5ca3e8d2c02cee223630d0a992775c9b2da7
Instruction ID: 90eac93afa4c0809a83fd1c5b877a109403795b5a3c46b7a10b51818e5e7baa0
Opcode Fuzzy Hash: d0ce7b0ec73892f75179ecefeaeb5ca3e8d2c02cee223630d0a992775c9b2da7
Instruction Fuzzy Hash: 4C31F3B26057005BD7218F248C85B6BB7E5AFC5734F114F1AFAA8A32D0D7709D0486A7

Function 00279280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,003BD15C,00000000,74D723A0,-003F9880), ref: 002796C9

Strings

Ws2_32.dll, xrefs: 0027969A

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 527028127386127502a2c203da77353f7dca882e87147708b6865a7b8fe48c3b
Instruction ID: 902b516f2e11e8cbaada82e9ebffbdf5ac720692791cb2c9329838fc7fa35d1c
Opcode Fuzzy Hash: 527028127386127502a2c203da77353f7dca882e87147708b6865a7b8fe48c3b
Instruction Fuzzy Hash: 5602E1B0D14398DFDF25CF98C8907ADBBB0EF55314F248289E4896B286D7701986CF92

Function 04CC0000 Relevance: 1.9, APIs: 1, Instructions: 449
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a05d1a932564353f35dff6bfa82e5ae03f5ab2a10c9930a6c2fe81ca5452588d
Instruction ID: f28a4618dee75cdf9dbfed2084b90042ba63a1fd6761b919334c6ebb1810eba0
Opcode Fuzzy Hash: a05d1a932564353f35dff6bfa82e5ae03f5ab2a10c9930a6c2fe81ca5452588d
Instruction Fuzzy Hash: 9491F2EB24C210FEA61286D72B54AF7AB6FE6C7730338846FF407D6502F2842A493171

Function 04CC0017 Relevance: 1.9, APIs: 1, Instructions: 434
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e7326c2e3e3c61f3f7802895252c6864ba63dbfd55138af1bc12b63337d729
Instruction ID: edea94770c28637466aec1d73850a4cf6ff3808d31e90dfe2d29fdc41e7b9a6f
Opcode Fuzzy Hash: 60e7326c2e3e3c61f3f7802895252c6864ba63dbfd55138af1bc12b63337d729
Instruction Fuzzy Hash: 8F91BEEB24C210FEA11286C72B54AF76B6FE6C7730738846EF407D5902F6956A8A3171

Function 04CC005C Relevance: 1.9, APIs: 1, Instructions: 431
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb9d7ab458f51d15f5f62d07752ea3b7751e702e68a388184b511e868d2ad4f3
Instruction ID: 5dd3c6ed398245adccc623b1eebfeb9fea5a6171210094d1b02ba0637470f918
Opcode Fuzzy Hash: eb9d7ab458f51d15f5f62d07752ea3b7751e702e68a388184b511e868d2ad4f3
Instruction Fuzzy Hash: 2081B0EB24C210FEB21285D72B54AF76B6FE6C7730338846EF407D6502F6856A8A7171

Function 04CC0035 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0b2d65cb9784deedf64938d63fa2d6c263e188f290a6f298328b1e81d2bf38
Instruction ID: 97961560e908855628ac402637a8d3c7e9bb475d7bb2aa445460849afa1959eb
Opcode Fuzzy Hash: 1d0b2d65cb9784deedf64938d63fa2d6c263e188f290a6f298328b1e81d2bf38
Instruction Fuzzy Hash: B481D1EB34C210FEA60286D72B54AF7AB6FE6C7730738846EF407D6502F6852A497171

Function 04CC00A6 Relevance: 1.9, APIs: 1, Instructions: 425
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c92a40eaee59ebd3520d87bf859794e8468e201d1c538dd2d6c8d6ca62cb62a
Instruction ID: 6484b779e19e2823a9fdc799cec3c4ed61314c61a5afdb0dd0043d422a35ac1a
Opcode Fuzzy Hash: 3c92a40eaee59ebd3520d87bf859794e8468e201d1c538dd2d6c8d6ca62cb62a
Instruction Fuzzy Hash: 0581BFEB34C210FEB11286C72B54AF76A6FE6C7730338846EF407D6502F6956A8A7171

Function 04CC00CC Relevance: 1.9, APIs: 1, Instructions: 405
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf149878d00038f4236463c4d3ea5231b8fe1add90f0e39bb46442d36dab132
Instruction ID: 9fa62081408d7926122426054ebfcdd01a3efa4d5ea7807263f5adad108251d2
Opcode Fuzzy Hash: 6cf149878d00038f4236463c4d3ea5231b8fe1add90f0e39bb46442d36dab132
Instruction Fuzzy Hash: 54818DEB34C120FEB11285C72B54AF7AA6FE6C7730738842EF407D5602F6956A8A3171

Function 04CC0089 Relevance: 1.9, APIs: 1, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2ad9578521106cb65fccfaa57c4e77a28739c4ce39f24bbc639e12d24382d3a1
Instruction ID: 012e3aecd362b08f6c0c1db9a640f3a1947b25b7fa451dcd0f66bca7a50fd597
Opcode Fuzzy Hash: 2ad9578521106cb65fccfaa57c4e77a28739c4ce39f24bbc639e12d24382d3a1
Instruction Fuzzy Hash: FC818CEB24C220FEB11285D72B54AF7AB6FE6C7730738846EF407D5502F6952A4A7131

Function 04CC00E1 Relevance: 1.9, APIs: 1, Instructions: 401
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c89122123daecaeac2d773343b5ac39fc13446f21209e75135602dfb10aeaa3
Instruction ID: 39b65b7b03e43db2e5ebda3502127d85445afd2a2aeedc5c82f9528eb84e747e
Opcode Fuzzy Hash: 8c89122123daecaeac2d773343b5ac39fc13446f21209e75135602dfb10aeaa3
Instruction Fuzzy Hash: C4819DEB24C160FEB10285D72B54AF7AB6FE6C7730738846EF407D5902F6852B4A6171

Function 04CC00B6 Relevance: 1.9, APIs: 1, Instructions: 400
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e2ee33a0252fc14c0e5b73e2659de9f6352242a31619cdedf046a4af97543eb1
Instruction ID: 033e36aec4cb2ba851bc065a804bce008db7ddf3a41cc8b8c3b741c287f879da
Opcode Fuzzy Hash: e2ee33a0252fc14c0e5b73e2659de9f6352242a31619cdedf046a4af97543eb1
Instruction Fuzzy Hash: 84719DEB24C220FEB11285C72B54AF7AB6FE6C7730738846EF407D5902F6952A4A7171

Function 04CC01B3 Relevance: 1.9, APIs: 1, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fec668aa2a0b92abc67992909a9732df6e8c662c8af36d00e210c8904d14512
Instruction ID: b1e82d61b707ca767ed1dd6e065c250ba9f6a8e4e9378a1221879eb13ff648b3
Opcode Fuzzy Hash: 8fec668aa2a0b92abc67992909a9732df6e8c662c8af36d00e210c8904d14512
Instruction Fuzzy Hash: 6271AEEB24C220FEB11285C72B54AF7AB6FE6C7730338846EF407D5502E6855B8A7171

Function 04CC011B Relevance: 1.9, APIs: 1, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b06bdfba5f2f68168e96147d97a0f3118268552c141e767f6f587a3bb118e5
Instruction ID: e5a1ee6bb5f65b6db491f9612343da42f314cc29c5d41a40d858fed29afd26f8
Opcode Fuzzy Hash: 06b06bdfba5f2f68168e96147d97a0f3118268552c141e767f6f587a3bb118e5
Instruction Fuzzy Hash: 98718CEB24C120FDB11285C72B54AF7AA6FE6C7730738842EF407D5906F6856B8A3171

Function 04CC0137 Relevance: 1.9, APIs: 1, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1720828fcb7f2c45f3c4899b15d19f3b6646c941e55a94c87cd532ebe513e0b9
Instruction ID: b06011f51c89d236e25b4867fab1b5c8d1411f087cdee9f915f230809756d438
Opcode Fuzzy Hash: 1720828fcb7f2c45f3c4899b15d19f3b6646c941e55a94c87cd532ebe513e0b9
Instruction Fuzzy Hash: 4E618CEB24C120FEB15285C72B14AF7AA6FE6C7730738842EF407D5906F6856B8A3071

Function 04CC0141 Relevance: 1.9, APIs: 1, Instructions: 371COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b46365dbc5cdaf13d737de27f0f56e5628ebbb6798885a3335b377a20ae63b05
Instruction ID: 3ec41a03c80beef25e2f3f22cbb61105bfe76220754bf2b9c9e1761e231b55ee
Opcode Fuzzy Hash: b46365dbc5cdaf13d737de27f0f56e5628ebbb6798885a3335b377a20ae63b05
Instruction Fuzzy Hash: 82617BEB24C120FDB15285C72B54AF7AA6FE6C7730738842EF407D5902F6856B8A3171

Function 04CC0156 Relevance: 1.9, APIs: 1, Instructions: 366COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b08f426274b6b9aad88bd5dd7fa1844443aa815c3651b6ccd9827175385ea082
Instruction ID: 6d4171ed7da8bfcd477a027cd2b79bb5648644146287141a7093c467979b22af
Opcode Fuzzy Hash: b08f426274b6b9aad88bd5dd7fa1844443aa815c3651b6ccd9827175385ea082
Instruction Fuzzy Hash: 0B617BEB24C120FEB11285C72B54AF7AA6FE6C7730738846EF407D5906F6852B8A3071

Function 04CC017B Relevance: 1.9, APIs: 1, Instructions: 352COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f9a9e2e710f44e69fb3b408bd109b99d65dd6e0ab6bdc946483b029c74fe7dff
Instruction ID: 700e53e4ef3092452fc1e84faec7217fa337ffb1a0c9cab7c98e733403dd2d0e
Opcode Fuzzy Hash: f9a9e2e710f44e69fb3b408bd109b99d65dd6e0ab6bdc946483b029c74fe7dff
Instruction Fuzzy Hash: FD618EEB24C220FEB15281C72B54AF7AA6FE5C7770338846EF807D5906F6855B8A3171

Function 04CC0191 Relevance: 1.8, APIs: 1, Instructions: 349COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 21162643eb4028e4a18aaa8a18ba4b9f2f0d7c76947c3bedb13152f0dad9db62
Instruction ID: 3bc6187eb136968304a246006a673d0fd15a18beec4d0aad5294f09927ec5e23
Opcode Fuzzy Hash: 21162643eb4028e4a18aaa8a18ba4b9f2f0d7c76947c3bedb13152f0dad9db62
Instruction Fuzzy Hash: B8618EEB24C120FEB15281C72B54AF7AA6FE6C7730338846EF807D5906F6855B8A7171

Function 04CC0209 Relevance: 1.8, APIs: 1, Instructions: 343COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 26d1a1302c9caee45530ac598a6c95eac325dac84f950f20fb7afbb414fb0056
Instruction ID: 5eae1560e165ca1724ae8d3494a032d725f052b7e576af785b75d13da701f345
Opcode Fuzzy Hash: 26d1a1302c9caee45530ac598a6c95eac325dac84f950f20fb7afbb414fb0056
Instruction Fuzzy Hash: BA618DEB24C120FEB51282C72B54AF76B6FE6C7730338846EF807D5502E6856B8A7171

Function 04CC01EC Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ab7da1066dd979e3661fb9f773d205287c4a67304c7ad98fd4d45b173bdae7f2
Instruction ID: 8c8dffbe4b4ed3f159110beac98beccffa684d63944d48bba538fb873595b8bb
Opcode Fuzzy Hash: ab7da1066dd979e3661fb9f773d205287c4a67304c7ad98fd4d45b173bdae7f2
Instruction Fuzzy Hash: 7C516CEB24C120FEB15291C72B14AF76B6FE6C7730338846AF407D5502F6856B4A7171

Function 04CC0240 Relevance: 1.8, APIs: 1, Instructions: 289COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 800c6a99f03d0818131ee2567fad102bdca4b3e496fc7150ca92d963ad656ac9
Instruction ID: db590f2dc2f3af816aaf56d812136549c6e214e1cee31174d249d21b084abf2f
Opcode Fuzzy Hash: 800c6a99f03d0818131ee2567fad102bdca4b3e496fc7150ca92d963ad656ac9
Instruction Fuzzy Hash: 7A518BEB24C120FEA20292D72B54AF76B6FE6C7730338846EF407D5606F6856B4A7071

Function 04CC0276 Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CC028B

Memory Dump Source

Source File: 00000006.00000002.3463546272.0000000004CC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4cc0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8134bbd198e5a7428ccdca5db0a83c7ac5ae30a08d14c373b45c6c28051379e4
Instruction ID: aa09cbd4dd5243427063fd3b0616ecd55eccfa9dd734a955416ce68e744ac052
Opcode Fuzzy Hash: 8134bbd198e5a7428ccdca5db0a83c7ac5ae30a08d14c373b45c6c28051379e4
Instruction Fuzzy Hash: 08519EEB24C120FEA10292D72B54AF76B6FE6C7730338846EF407D5902F6856B4A7171

Function 002B9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002B990E

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 17d2447457f2b5972642c0dba88c9f4a1db1be814fefd16fa32d2a992341c8ff
Instruction ID: c2da066cc9468347704bc3e6611057c5761a53c3bea418ff2594bf5fdf349586
Opcode Fuzzy Hash: 17d2447457f2b5972642c0dba88c9f4a1db1be814fefd16fa32d2a992341c8ff
Instruction Fuzzy Hash: 3961C8B1C2411ABFDF11DFA8C840EEEBFB9AF49344F140149EA00A7256D771D9A1CB60

Function 002B251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,002B2626,?,?,?,?,?), ref: 002B2558

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8265e3baa2c4e3021c2f65404f8c77ef4c0cc2b7348179fbfa2a98928ea9aa75
Instruction ID: 760603478982777a4a3961bc587235d06c39bfcf0b194627a74c49fa616ea0a5
Opcode Fuzzy Hash: 8265e3baa2c4e3021c2f65404f8c77ef4c0cc2b7348179fbfa2a98928ea9aa75
Instruction Fuzzy Hash: D4014932620619AFCF2DCF19CC21CDE7B69DF85370B380108F811AB2A0E671ED618B90

Function 002732D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0027331F

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 0ac005857ee6407b8a2d41b35a0a975707a6a027ac5cba7ce810bafe7a2ed3a8
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 0AF024325201019BDB28AF60E4055EAB3ECEF2436175048BBF88CC7612EF36DA609BC0

Function 002BA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,002B9FE0,00000001,00000364,00000001,00000006,000000FF,?,002A4B3F,?,?,74D723A0,?), ref: 002BA69C

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 016ebd4c37db6ebe38260baa3052aaed6ed1655ae21682b0818a503a81bbed62
Instruction ID: 10aeeba61009670bfae316ee75eb6bbc93b4eadbdf05269592c132c35147e8fd
Opcode Fuzzy Hash: 016ebd4c37db6ebe38260baa3052aaed6ed1655ae21682b0818a503a81bbed62
Instruction Fuzzy Hash: 95F0E9711315226A9F256E65DC01BEA374DAF413E0F1C8111EC14EA080CE30DC3089E6

Function 002BB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,002A4B3F,?,?,74D723A0,?,?,00273522,?,?), ref: 002BB0C7

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9c76f0b8d261aa3207285c4237837d9393cd5e1ee2516b5225648fd826ed3fff
Instruction ID: 6f0a7fbd7ef7c7ce7723c9c514ef6a283c3e942db96374ea85f181cac2497d7d
Opcode Fuzzy Hash: 9c76f0b8d261aa3207285c4237837d9393cd5e1ee2516b5225648fd826ed3fff
Instruction Fuzzy Hash: A1E065311316226ADA333B659C11BFB764D9F423E1F550A11AC24A61C1DBE1DC3085E5

Function 002B8DFF Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,002B8CE6,00000000,?,003EA178,0000000C,002B8DA2,?,?,?), ref: 002B8E55

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 275887d1110631617db0cc4eb70b81f6abe8236baccbc3f7c48844cab9b384af
Instruction ID: adeb29b6794b4e358cda69c12020fad0074c766e59eb31b33e60d2169d412ef6
Opcode Fuzzy Hash: 275887d1110631617db0cc4eb70b81f6abe8236baccbc3f7c48844cab9b384af
Instruction Fuzzy Hash: 5C116B3363552516EA2936345841BFE678D4F827F4F2E0659F91C9B0D2DEB0DCB1C151

Non-executed Functions

Function 002AC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 80b3fa339f82122b0e9e544e827fcabe06d761cf03f4fdff635df8208b6c9988
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: FE023C71E1121A9BDF14CFA9C9807AEFBB1FF49314F24826AD919E7340DB31A951CB90

Function 0028A060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0028A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0028A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0028A0E7
__Getctype.LIBCPMT ref: 0028A1C5
std::_Facet_Register.LIBCPMT ref: 0028A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0028A223

Strings

PG', xrefs: 0028A1BF
E', xrefs: 0028A1AE
PD', xrefs: 0028A19A

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD'$PG'$E'
API String ID: 1102183713-296772504
Opcode ID: 60d84625269c321870243de85b1db2f6c70b5fe39c8d606c73e0e90eee090758
Instruction ID: eff3a569e27ae02317733a737fe9287f19c6946f03623e1f42262a434fcfa0a8
Opcode Fuzzy Hash: 60d84625269c321870243de85b1db2f6c70b5fe39c8d606c73e0e90eee090758
Instruction Fuzzy Hash: 3B51CAB4D11205CFDB12DF58C845BAEBBB4BB01710F14815AE845AB391DB74AE14CB92

Function 002A72D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002A7307
___except_validate_context_record.LIBVCRUNTIME ref: 002A730F
_ValidateLocalCookies.LIBCMT ref: 002A7398
__IsNonwritableInCurrentImage.LIBCMT ref: 002A73C3
_ValidateLocalCookies.LIBCMT ref: 002A7418

Strings

`-', xrefs: 002A73DC
csm, xrefs: 002A73AD

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-'$csm
API String ID: 1170836740-83844572
Opcode ID: eb5129a1509aeb7940f5fdea42eabb246665db7eed828f8fb3404deb1bd0632f
Instruction ID: e7130925ce2521ba356c3b8b9291d5350d115f62cea08ebb7c7193a0d9533b34
Opcode Fuzzy Hash: eb5129a1509aeb7940f5fdea42eabb246665db7eed828f8fb3404deb1bd0632f
Instruction Fuzzy Hash: 7041B334A2420A9FCF10DF68CC81AAE7FB5AF46314F148195ED149B391DF31A921CF95

Function 0028C430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0028C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0028C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0028C4A4
std::_Facet_Register.LIBCPMT ref: 0028C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0028C5C4

Strings

E', xrefs: 0028C562
PD', xrefs: 0028C54E

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E'$PD'
API String ID: 459529453-207005594
Opcode ID: 099c9abab4cb4a0b3a7949531a80820e266761042ad5f7d9ebeece61937255ba
Instruction ID: 04638ea25e28e67670dd8d25aa7a6da063081b823bc7dd7e8df3b0e003af22aa
Opcode Fuzzy Hash: 099c9abab4cb4a0b3a7949531a80820e266761042ad5f7d9ebeece61937255ba
Instruction Fuzzy Hash: 2E51EDB4911245DFDB12EF58C840BAEBBF4FB01314F24815DE845AB381DBB5AE04CBA0

Function 002BBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 002BBBEC

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: cdc596237ba662f3ce77e08062660e67d6033201eb08cb3056a373a9ec18004e
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 8FB148729202569FDB13CF24CC81BEEBBA5EF55390F144156E944AF282D7F4E921CBA0

Function 002A2729 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A2730
std::_Lockit::_Lockit.LIBCPMT ref: 002A273B
std::_Lockit::~_Lockit.LIBCPMT ref: 002A27A9

Part of subcall function 002A288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 002A28A4

std::locale::_Setgloballocale.LIBCPMT ref: 002A2756

Strings

`-', xrefs: 002A2778, 002A279C

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-'
API String ID: 677527491-850853302
Opcode ID: 9c1c91dffb11d4b22cd92066b52ef04e143a079d96b08b275b38dbe2b69bfb77
Instruction ID: d3a84ff1dd501f7cea3147f817d6d549f2981559e4c0be2a6c39d19b810baa03
Opcode Fuzzy Hash: 9c1c91dffb11d4b22cd92066b52ef04e143a079d96b08b275b38dbe2b69bfb77
Instruction Fuzzy Hash: D401B179A20111CFC70AEF24D84197D7BB5BF86750B14000AF81157391CF34AE16CF91

Function 00277350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0027750C
___std_exception_destroy.LIBVCRUNTIME ref: 00277522

Strings

[json.exception., xrefs: 002773A1
)', xrefs: 00277502, 0027751C

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )'$[json.exception.
API String ID: 4194217158-3484975215
Opcode ID: 253e77879df66892f0db02ee0fff639805cb4dc6d71a2beeb379d08c5deda496
Instruction ID: c52d74661e54674c008a959a49d2695ae2ce487d2c0002feb8a137af747c28cd
Opcode Fuzzy Hash: 253e77879df66892f0db02ee0fff639805cb4dc6d71a2beeb379d08c5deda496
Instruction Fuzzy Hash: D351F1B1C15748DFDB11DFA8C905B9EBBB4EF11314F108269E854A7382DBB85A44CBE1

Function 00274900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0027499F

Strings

ios_base::failbit set, xrefs: 00274828, 00274941
ios_base::badbit set, xrefs: 00274937, 00274962
ios_base::eofbit set, xrefs: 00274946

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 604716ef037de747dfa135c380a61004ca7c0cb3d6f9715772cdc66060f54691
Instruction ID: eadcf8f316b9aaabeb78b9665c21b7e47094956d9c1fe35f325af4cfee47fe99
Opcode Fuzzy Hash: 604716ef037de747dfa135c380a61004ca7c0cb3d6f9715772cdc66060f54691
Instruction Fuzzy Hash: D9112C73924644EBC711EE5CDC42BA77398D706710F04862AFE5C872C1EB75A9258B92

Function 002736E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273819
___std_exception_destroy.LIBVCRUNTIME ref: 002738F0

Strings

)', xrefs: 002737ED, 002738EA

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )'
API String ID: 2970364248-641774962
Opcode ID: 8996ea3b7b77475126a7e0c08eccd432abd4ee941a668fa86889af7834bf8f05
Instruction ID: 58a5256877885751e01093c811ef01a7015b09f847f7305146640162b8b519d6
Opcode Fuzzy Hash: 8996ea3b7b77475126a7e0c08eccd432abd4ee941a668fa86889af7834bf8f05
Instruction Fuzzy Hash: 1A61ABB1C01248DFDB11DF98C845BDDFBB4FF19324F14825AE818AB282D7B55A54CBA1

Function 002747F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0027499F

Strings

ios_base::failbit set, xrefs: 00274828
ios_base::badbit set, xrefs: 00274937, 00274962

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 1752f2705687943523609b8749fc7f0d92bff2e29829d02c3c42ea6421dcbdd0
Instruction ID: 15d42b873b51aa764f1ed3b13278ebe1b71469e63501a1f1ac471d2e9c3a28b2
Opcode Fuzzy Hash: 1752f2705687943523609b8749fc7f0d92bff2e29829d02c3c42ea6421dcbdd0
Instruction Fuzzy Hash: 7F4106B1D10248EFCB04EF58CC45BAEB7B8EB05710F14825EF558A7381DB755A10CBA1

Function 00274040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00274061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002740C4

Strings

bad locale name, xrefs: 002740E6

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: a9cc83db2e2213766dee099c76c83250dcceeaeb1161b38aa4111445d6b51c45
Instruction ID: 7faac44741581b92729de6deaa50b25d08920131feda2a594f5cbbb5b62b3fdc
Opcode Fuzzy Hash: a9cc83db2e2213766dee099c76c83250dcceeaeb1161b38aa4111445d6b51c45
Instruction Fuzzy Hash: 9411D370805B84EFD721CF68C50474BBFF4AF16714F14868DE0959BB81D3B95A04CBA1

Function 00286590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 002865C9
___std_exception_copy.LIBVCRUNTIME ref: 002865FC

Strings

)', xrefs: 002865BA, 002865ED

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )'
API String ID: 2659868963-641774962
Opcode ID: 123be6cf39f18f8d199e1f8907df87c2684ebc01a62f92d8328519941ec621ad
Instruction ID: e2f976665c31f7f803b90caa95c2baf1acf2e14e2a92afb9d0b02c9e7bcc2375
Opcode Fuzzy Hash: 123be6cf39f18f8d199e1f8907df87c2684ebc01a62f92d8328519941ec621ad
Instruction Fuzzy Hash: DC1133B6910748EBC711DF59C980B85F7F8FF0A724F10876AF91497641E774A9448BA0

Function 00277A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00277A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00277A72

Strings

)', xrefs: 00277A52, 00277A6C

Memory Dump Source

Source File: 00000006.00000002.3453216308.0000000000271000.00000040.00000001.01000000.00000005.sdmp, Offset: 00270000, based on PE: true

Associated: 00000006.00000002.3453133325.0000000000270000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3453216308.00000000003F5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454293047.00000000003FA000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000003FD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.0000000000584000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.000000000066A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006A6000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006AD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3454414581.00000000006BC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455660710.00000000006BD000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3455989932.000000000085A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456041331.000000000085B000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456110511.000000000085C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3456157365.000000000085D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_270000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )'
API String ID: 4194217158-641774962
Opcode ID: a42d6aa48fbe70f0ad7044525cff6f328afa84e1345691169a26e7f23dbabe79
Instruction ID: 8aaf9455f6e72a9519bef7e15fdd8e30fe2b849b97671001748982469209d337
Opcode Fuzzy Hash: a42d6aa48fbe70f0ad7044525cff6f328afa84e1345691169a26e7f23dbabe79
Instruction Fuzzy Hash: 0EF04FB1845648DFC711DF98C901B89BBF8EB06728F50066EE414A3680D7B59A048BA1

Analysis Process: RageMP131.exePID: 6024, Parent PID: 2580COMMON

Executed Functions

Function 00DE7B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000404,0000FFFF,00001006,?,00000008), ref: 00DE7BA6
recv.WS2_32(?,00000004,00000002), ref: 00DE7BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00DE7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00DE7C64

Part of subcall function 00DE8590: WSAStartup.WS2_32 ref: 00DE85BA
Part of subcall function 00DE8590: socket.WS2_32(?,?,?,?,?,?,00EA9328,?,?), ref: 00DE865E
Part of subcall function 00DE8590: connect.WS2_32(00000000,00E79BFC,?,?,?,?,00EA9328,?,?), ref: 00DE8671
Part of subcall function 00DE8590: closesocket.WS2_32(00000000), ref: 00DE867D

recv.WS2_32(00000000,?,00000008), ref: 00DE7D1B
recv.WS2_32(?,00000004,00000008), ref: 00DE7E23
__Xtime_get_ticks.LIBCPMT ref: 00DE7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00DE7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00DE7EB9

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: d79d5559512d96c5841a2a436169761a674c0725812c8840720a25889d355715
Instruction ID: b2682809752611a262af9d7f922c3cfa6389c30f193784cd721d1c5e0f4f52fb
Opcode Fuzzy Hash: d79d5559512d96c5841a2a436169761a674c0725812c8840720a25889d355715
Instruction Fuzzy Hash: F5B1AD71D04348DFEB14EBA5CC89BADBBB1EB49710F144258E444BB2D2D7746D48CBA1

Function 00DE8590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00DE85BA
socket.WS2_32(?,?,?,?,?,?,00EA9328,?,?), ref: 00DE865E
connect.WS2_32(00000000,00E79BFC,?,?,?,?,00EA9328,?,?), ref: 00DE8671
closesocket.WS2_32(00000000), ref: 00DE867D

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 150c35779cc8fe57d1e25c35e8c68082f3bd3d6ef85b85d2d0e664720bf251ed
Instruction ID: 506f9ad7b51feaa42d9aa1244e1e701daab22f47efbc2ddbc873f647fc77c965
Opcode Fuzzy Hash: 150c35779cc8fe57d1e25c35e8c68082f3bd3d6ef85b85d2d0e664720bf251ed
Instruction Fuzzy Hash: 543101725053406BD7209F258C4462FB7E5AFCA734F181F1EF9ACA22D0D730980496B3

Function 00D29280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00E6D15C,00000000,74D723A0,-00EA9880), ref: 00D296C9

Strings

Ws2_32.dll, xrefs: 00D2969A

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 5e62cb732c9a34f992958ff493cabc64d1def0b447639514954c6eb1fa98fac7
Instruction ID: 6593d0159fc3fe4e77f951e5a72011be6c1299ba025e000ef0538927c3d6de15
Opcode Fuzzy Hash: 5e62cb732c9a34f992958ff493cabc64d1def0b447639514954c6eb1fa98fac7
Instruction Fuzzy Hash: A002E170D04298DFDF25CFA4D8A07ACFBB0EF65314F24429DE4856B286D7701986CBA2

Function 00D69789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D6990E

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 2f79c2376e9820dde3e141e22411618e7a831796153208606338c48f6299d32d
Instruction ID: 0ec0b9e8a565508db847f842fde7fcb4c66231fbe16576b9ff33ad20a6deea82
Opcode Fuzzy Hash: 2f79c2376e9820dde3e141e22411618e7a831796153208606338c48f6299d32d
Instruction Fuzzy Hash: 8761AFB1D04119BFDF11DFA8C894AAEFBBDAF4A314F18014AE940A7256D732D905CBB1

Function 056E0B59 Relevance: 1.7, APIs: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056E0B64

Memory Dump Source

Source File: 00000007.00000002.3460116758.00000000056E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6d13af870a5f5b11a061c0506cc9d893e6fc93cbd254a31c2c49ff6f6df85efe
Instruction ID: dd410315132855d39507068663cdbcbf1f49c8cbe9f9d7ebcf182603113ac68f
Opcode Fuzzy Hash: 6d13af870a5f5b11a061c0506cc9d893e6fc93cbd254a31c2c49ff6f6df85efe
Instruction Fuzzy Hash: 424156EB14F121BDA603C1452B5CAF22BAFF6DA7307308067F407DA605E6E51A8BC631

Function 056E0B3A Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056E0B64

Memory Dump Source

Source File: 00000007.00000002.3460116758.00000000056E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 19fa6575ceabb0379a8ff8e67cae5b1fd24759a75c245e1b854ecc8f2c0d404a
Instruction ID: ec0c22e3240977edbd74ebbb9c13b75f605fd39ba05bb4329deeaf686f528947
Opcode Fuzzy Hash: 19fa6575ceabb0379a8ff8e67cae5b1fd24759a75c245e1b854ecc8f2c0d404a
Instruction Fuzzy Hash: 0A3135EF14F111BDB642C5512B5CAF22BAFF6D67307308466F807DA606E2E51A4BC231

Function 056E0B85 Relevance: 1.7, APIs: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056E0B64

Memory Dump Source

Source File: 00000007.00000002.3460116758.00000000056E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 67e2332d3b3992d531e1731989259f67508488b25cd855091fe59bd28cdd841d
Instruction ID: 7f27ffacc859f80a0e149afadf892e164aa2e746b0e689c68ab8f2601ba6c867
Opcode Fuzzy Hash: 67e2332d3b3992d531e1731989259f67508488b25cd855091fe59bd28cdd841d
Instruction Fuzzy Hash: 0A3144EF50F111BCA602C5512B5CEF22BAFF6D6B307308466F847DA605E2E51A87C631

Function 056E0B44 Relevance: 1.7, APIs: 1, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056E0B64

Memory Dump Source

Source File: 00000007.00000002.3460116758.00000000056E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b7e3723a78ee530cdd041a707933db34205f47d0e08806b5608e874adc4c7141
Instruction ID: af4e58dc84044752830885bc9546813ade57148dd5ee26fea417b5f2dd0ccef4
Opcode Fuzzy Hash: b7e3723a78ee530cdd041a707933db34205f47d0e08806b5608e874adc4c7141
Instruction Fuzzy Hash: 293131EF50F211BDA202C5512B5CAF62BAFF6D6B307308467F807DA605E2E51A87C631

Function 00D6251C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00D62626,?,?,?,?,?), ref: 00D62558

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4d2ecef463f37cd906eaac71761115cbdfb37144e1b5e33a4df8d808ce6d7365
Instruction ID: 03e34f11102db00d8d55830b91c4c926614fa088533da43439f00e13926f1957
Opcode Fuzzy Hash: 4d2ecef463f37cd906eaac71761115cbdfb37144e1b5e33a4df8d808ce6d7365
Instruction Fuzzy Hash: E4012232610605AFCF19DF69CC15CAE7B69EB85330B280208F8519B2A1EA71ED418BB0

Function 00D232D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D2331F

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 984c53d920273aa7d6f5b707e195fd496de202d6d9244376501c68c92e223d37
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: BEF0B4725001249BDF14AF64E4155E9B3E8DF343A6754097EEC8DC7212EF2ADB5487B0

Function 00D6A65A Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00D69FE0,00000001,00000364,00000001,00000006,000000FF,?,00D54B3F,?,?,74D723A0,?), ref: 00D6A69B

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c09b7f60a3657a07eaa8522c4d1934abd092fcb10590909aa8be2389356007f7
Instruction ID: 6cd90ebfda477ddda6ff3f38fdb8ea06b99017dc23f6000f61ba745b02f0f439
Opcode Fuzzy Hash: c09b7f60a3657a07eaa8522c4d1934abd092fcb10590909aa8be2389356007f7
Instruction Fuzzy Hash: CFF0E232111D216F9B216AEEDC01A6A378DAF417A0F1D8162ECC4FB084CA30EC008EF6

Function 00D6B094 Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00D54B3F,?,?,74D723A0,?,?,00D23522,?,?), ref: 00D6B0C6

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0ec0385ec128c6bbc4763d8c169991d2f041cd48539964b8534e98f8c19a6a7c
Instruction ID: d7db45ca4d1ca2dd76c94f6d4cb31b54ebb14e674ee707954abeb1f7e5f228ee
Opcode Fuzzy Hash: 0ec0385ec128c6bbc4763d8c169991d2f041cd48539964b8534e98f8c19a6a7c
Instruction Fuzzy Hash: 69E092322416206BEB3136A59C11B5B7E4DDF433B0F1D0222FC64E61D2DB21DC9486B5

Function 00D68DFF Relevance: 1.3, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00D68CE6,00000000,?,00E9A178,0000000C,00D68DA2,?,?,?), ref: 00D68E55

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: e538caa12f632b65068e07f7b13231ee8825cb37cf1ef33566c3421febb3e6aa
Instruction ID: 9425f3acac08b2bd99fe086af927406bde04f7d5580b3636032bafbe10ae8ceb
Opcode Fuzzy Hash: e538caa12f632b65068e07f7b13231ee8825cb37cf1ef33566c3421febb3e6aa
Instruction Fuzzy Hash: F3116637A051206BCB252335A845B7E67898F92734F3D071EF9189B0C3EE63DC81A276

Function 056F01A4 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22b0349266ad2c589a872fd87a8a6e537b4f355e143f1539ef7fdba8be12a93
Instruction ID: 253a7c25e41fc755ce231742e1a472d9c5b6bb10aac1dd0158be78500cb3e22d
Opcode Fuzzy Hash: a22b0349266ad2c589a872fd87a8a6e537b4f355e143f1539ef7fdba8be12a93
Instruction Fuzzy Hash: C811B1FB98C120BD6502C981AB1C9FA7B2FE5D33303318426FA43D6403E2818A4BA371

Function 056F0191 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f20fac0800f06922e482a6db71ca1ebc1b7a23af31d920b22ac3a74e95112e4d
Instruction ID: 26994597e9279be7d7c110142698b2801ef0ea52db50efc8ce7ef95f08b363c8
Opcode Fuzzy Hash: f20fac0800f06922e482a6db71ca1ebc1b7a23af31d920b22ac3a74e95112e4d
Instruction Fuzzy Hash: D4116AFB58D220BD7112C5827B18AFA6B6FE5D67303308436FA07D6507E2D54A4FA272

Function 056F02D2 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1c32941fa1242d4acae3b643b2a7bcf1c67c539e9a86012daedf958062357a1
Instruction ID: cc81ff3433530b95332434d3781433b47ca4c7ddd4830ad5b527275c929b6bfe
Opcode Fuzzy Hash: c1c32941fa1242d4acae3b643b2a7bcf1c67c539e9a86012daedf958062357a1
Instruction Fuzzy Hash: 4511BFEB58C211BEA153D0526B189FABA2FE1D76B03308076F943D7647E2C54A4FA231

Function 056F01BE Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca93e66441c97d9013a6b609af7ba0945fab0a629ebe54d43d04c6fcc3e02ce
Instruction ID: 801fca02c10d66313a4548f62d83932b892cbe99ef044b64cdbfe2721812f369
Opcode Fuzzy Hash: 2ca93e66441c97d9013a6b609af7ba0945fab0a629ebe54d43d04c6fcc3e02ce
Instruction Fuzzy Hash: 23117CFB58C120BD6112C5816B189FA7B6FE5D77303308076FA47D6507E2C54A4BA371

Function 056F01EB Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ff2fe18122114b48bdb76fa07bc9d6b9175574fae3ec263aee97eb3006480e
Instruction ID: 1daf85b217261e80356fe82612a7343efb0d0786e97918ba9a5edbba7c8c14c8
Opcode Fuzzy Hash: 43ff2fe18122114b48bdb76fa07bc9d6b9175574fae3ec263aee97eb3006480e
Instruction Fuzzy Hash: 94118EBB98D110BDA112C5816B189FE6B6FE5E23307308437FA47D7507E2855A4EA372

Function 056F01D3 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09e95dd80c697bbf67af26c3771391e7022638104143bbe5c744b80e0e20bea
Instruction ID: 0aa83c73ac9344ec6ccb0359e6e59adf386b7ba54162968d8f05d33bba50bda2
Opcode Fuzzy Hash: b09e95dd80c697bbf67af26c3771391e7022638104143bbe5c744b80e0e20bea
Instruction Fuzzy Hash: 3701C0FB94C110BD6152C5817B189FA7B6FE5D27303308036FA43D6507E2C55A4EA371

Function 056F01FE Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3090ca72b32042cf959336f7b3cdee8bfc5a5bcf785bc28f6e1fcbe933fd3c00
Instruction ID: a4fb662f34b3f9488b0bd14c2a0f74fec44614fc1c7aaf550395dc64d010ef21
Opcode Fuzzy Hash: 3090ca72b32042cf959336f7b3cdee8bfc5a5bcf785bc28f6e1fcbe933fd3c00
Instruction Fuzzy Hash: DA019EBB50C110BDB652C4417B089FA2B6FD5D2330331842AFA47C6107D2960A4AA332

Function 056F0210 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4ca7b0c2b7035f7d6540fbad9f519bf1a55ac314e9f8c67634b567a05dcc56f
Instruction ID: 67eddb570b8bd6c1195bdfe5a4915f451744b648a04c8175faa579e7e2c012d4
Opcode Fuzzy Hash: e4ca7b0c2b7035f7d6540fbad9f519bf1a55ac314e9f8c67634b567a05dcc56f
Instruction Fuzzy Hash: E801ADBB50D120BDB552C4827B149FE675FE5E23303308427FA43C2107D6851A4AA332

Function 056F0232 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20b44c2392f8f00b398b7d946f4a423546b74b5d5f6a8e24365ab2be6ea97038
Instruction ID: f1a11e0509dd7517c6370e2b50d0392bb7e2a7f2afe45f7cd91a95d49c90f98f
Opcode Fuzzy Hash: 20b44c2392f8f00b398b7d946f4a423546b74b5d5f6a8e24365ab2be6ea97038
Instruction Fuzzy Hash: F5F0F6FB40D210AEB151D1527F189FA779FD6E27303308427F547C3507D1941A8BA232

Function 056F0253 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 952f54fd97a4e7b4614ff1b049e7400b7ce50045783c8c34ae94387f22f6ad92
Instruction ID: 8eea4800e8247f03dd21a16efb40feb1976f78e344b1816b500fb1038c42cb4c
Opcode Fuzzy Hash: 952f54fd97a4e7b4614ff1b049e7400b7ce50045783c8c34ae94387f22f6ad92
Instruction Fuzzy Hash: 4EF0E9F750D100FEB251C1427B449FA77AED6D1730330C46BF543D3406D6940A8AA331

Function 056F0285 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3460190907.00000000056F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 056F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_56f0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d39384faa6bd2701122c57ce619cdb45b08de3d2b3496292e145fdb0938fd6a1
Instruction ID: 7c422cfd35219b335beb0acf5ef46c66c6f0da0db2ad241d9382841111c121ab
Opcode Fuzzy Hash: d39384faa6bd2701122c57ce619cdb45b08de3d2b3496292e145fdb0938fd6a1
Instruction Fuzzy Hash: 62E0CDA344D101D9D7A2D0D163485B83B4B97D73717304077F547CB643D5D6469B5331

Non-executed Functions

Function 00D5C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: e1f9adda3281e937fb19cf12b0e3b06702adfca8d545d5348acbeeb9fe1e1ff4
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: 59020A71E112199FDF14CFA9D8806AEBBF1EF48315F24826AED19E7340D731A945CBA0

Function 00D6BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D6BBEC

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 5f07a9cc17a5fe40273eb4ccb491e402edea27f6b491e74b4ec869f85a0cf407
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 3AB17832A006559FDB118F68CC82BEE7BA5EF55320F184166E905EF282D774D981CBB0

Function 00D572D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D57307
___except_validate_context_record.LIBVCRUNTIME ref: 00D5730F
_ValidateLocalCookies.LIBCMT ref: 00D57398
__IsNonwritableInCurrentImage.LIBCMT ref: 00D573C3
_ValidateLocalCookies.LIBCMT ref: 00D57418

Strings

csm, xrefs: 00D573AD

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4a4b8f2c91ec0e06f27e67b16365908ff09f655c680a5a97bd1c97b041c34fe3
Instruction ID: a78fb8560ce09f0e251e3656b7759b763f806b20bc8548dc48df563f8c86aab5
Opcode Fuzzy Hash: 4a4b8f2c91ec0e06f27e67b16365908ff09f655c680a5a97bd1c97b041c34fe3
Instruction Fuzzy Hash: 3141E730A042099FCF10DF68D885A9EBFA5EF04325F288095FC18AB351DB31E949DBB1

Function 00D3A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D3A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00D3A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3A0E7
__Getctype.LIBCPMT ref: 00D3A1C5
std::_Facet_Register.LIBCPMT ref: 00D3A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3A223

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 1fbdbc8f9c28f396f5fd5d52795b5b2b396d6b67ebfd8463ea489037c77ad661
Instruction ID: c69343f9229523ec0b8ab892a575373eef151b07c4a149cd453993da77223162
Opcode Fuzzy Hash: 1fbdbc8f9c28f396f5fd5d52795b5b2b396d6b67ebfd8463ea489037c77ad661
Instruction Fuzzy Hash: F3519AB0E00345DFCB11CF58C9417AEBBB0FB15714F188258D895AB391DB75AA48CBA2

Function 00D3C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D3C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00D3C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3C4A4
std::_Facet_Register.LIBCPMT ref: 00D3C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3C5C4

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 78cc96c51a16e02aeac93ecb29a0e06f219c707376dc9b2817eb8f5b9595ca69
Instruction ID: 539c1388c8f25b3c02965ff1e45adb225592dacf381d3c7ae112feb103cf2544
Opcode Fuzzy Hash: 78cc96c51a16e02aeac93ecb29a0e06f219c707376dc9b2817eb8f5b9595ca69
Instruction Fuzzy Hash: EE51BBB0900258DFDB11DF58D845BAEBBF0FF16354F288158E845BB381D7B5AA09CBA0

Function 00D24900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D2499F

Strings

ios_base::failbit set, xrefs: 00D24828, 00D24941
ios_base::badbit set, xrefs: 00D24937, 00D24962
ios_base::eofbit set, xrefs: 00D24946

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 3837ce1bec01d91ab6ee95856e00fa86612cc9806b0385423e40edbb017f6479
Instruction ID: 0bdcf26b321493409eea738f648d42cbc498d144f2e7f7639bd62e511d89abbb
Opcode Fuzzy Hash: 3837ce1bec01d91ab6ee95856e00fa86612cc9806b0385423e40edbb017f6479
Instruction Fuzzy Hash: 07117A72804B54ABCB10EA18AC03B663388DB01714F08462CFD689B281EB3498008BB2

Function 00D52729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D52730
std::_Lockit::_Lockit.LIBCPMT ref: 00D5273B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D527A9

Part of subcall function 00D5288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D528A4

std::locale::_Setgloballocale.LIBCPMT ref: 00D52756

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: ca5b4d31c70d3d020939022c7dfd23f83a9f8578c4e2217166550f2d1202e342
Instruction ID: 48e301aaaadb3b8e9450fc4daa293293f47bc1c96f5b68eafef566897edf335c
Opcode Fuzzy Hash: ca5b4d31c70d3d020939022c7dfd23f83a9f8578c4e2217166550f2d1202e342
Instruction Fuzzy Hash: EE018875A002109FCB0AEB20984153D7BA1FF8A751B184009EC1527281CF34AA4ECBB1

Function 00D27350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D2750C
___std_exception_destroy.LIBVCRUNTIME ref: 00D27522

Strings

[json.exception., xrefs: 00D273A1

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 4954a6ca1b167a583f684f716c925e4412b330e127eec57c712bf9d69d96b0f6
Instruction ID: a2f792a603864cf12f5f574fa297fad6499b127799029ffde3095f90aa3857ae
Opcode Fuzzy Hash: 4954a6ca1b167a583f684f716c925e4412b330e127eec57c712bf9d69d96b0f6
Instruction Fuzzy Hash: 2351EFB1D047489FDB10DFA8D906BAEBBB4EF21314F148259E854A7282EBB45A44C7F1

Function 00D247F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D2499F

Strings

ios_base::failbit set, xrefs: 00D24828
ios_base::badbit set, xrefs: 00D24937, 00D24962

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: bbd0bbe7c5e06df7a983a84388ae48632adfa9fe90034e72b81f91d24308c0ed
Instruction ID: 4a936c63177c90b7b85c70d796d49411eb7665653267e9575a2e2c11dbabb3be
Opcode Fuzzy Hash: bbd0bbe7c5e06df7a983a84388ae48632adfa9fe90034e72b81f91d24308c0ed
Instruction Fuzzy Hash: E64145B1C00244ABCB00DF58DC42BAEBBB8EF45314F18825DF954AB381DB759A00CBB1

Function 00D24040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D24061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D240C4

Strings

bad locale name, xrefs: 00D240E6

Memory Dump Source

Source File: 00000007.00000002.3453305471.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 00000007.00000002.3453259385.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453305471.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453559138.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3453590114.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454060819.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454305024.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454349675.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454385676.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.3454406329.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_d20000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 70ee5c88f2ad0719cd9fe007a3d878664de4946e3cf75c32c0b4f00a81fb30ff
Instruction ID: 111f3d04fbd649ca44a9f2cf6be023f8faa7ced57c5dd20a56e0fbcdfe772cc8
Opcode Fuzzy Hash: 70ee5c88f2ad0719cd9fe007a3d878664de4946e3cf75c32c0b4f00a81fb30ff
Instruction Fuzzy Hash: 1311E670805B84EED721CFA8C50475BBFF4EF25714F14868DD89597781D3B95608C7A1

Analysis Process: RageMP131.exePID: 7504, Parent PID: 2580COMMON

Executed Functions

Function 00DE7B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003CC,0000FFFF,00001006,?,00000008), ref: 00DE7BA7
recv.WS2_32(?,00000004,00000002), ref: 00DE7BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00DE7C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00DE7C64

Part of subcall function 00DE8590: WSAStartup.WS2_32 ref: 00DE85BB
Part of subcall function 00DE8590: socket.WS2_32(?,?,?,?,?,?,00EA9328,?,?), ref: 00DE865E
Part of subcall function 00DE8590: connect.WS2_32(00000000,00E79BFC,?,?,?,?,00EA9328,?,?), ref: 00DE8672
Part of subcall function 00DE8590: closesocket.WS2_32(00000000), ref: 00DE867D

recv.WS2_32(00000000,?,00000008), ref: 00DE7D1B
recv.WS2_32(?,00000004,00000008), ref: 00DE7E23
__Xtime_get_ticks.LIBCPMT ref: 00DE7E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DE7E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00DE7EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00DE7EB9

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: a78e864d4deed7432dee18c27206e5a3782aff44cd21b8f4ef8238a8e4fb3220
Instruction ID: 203f9fc486e181189f4c6d421a3b6948662a38376f9561368e7a19668f008480
Opcode Fuzzy Hash: a78e864d4deed7432dee18c27206e5a3782aff44cd21b8f4ef8238a8e4fb3220
Instruction Fuzzy Hash: 45B1BD71D04348DFEB14EBA5CC89BADBBB1EB49700F144258E444BB2D2D7746D88DBA1

Function 00DE8590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00DE85BB
socket.WS2_32(?,?,?,?,?,?,00EA9328,?,?), ref: 00DE865E
connect.WS2_32(00000000,00E79BFC,?,?,?,?,00EA9328,?,?), ref: 00DE8672
closesocket.WS2_32(00000000), ref: 00DE867D

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: eb4a4ef56f16a8534ab8d8a13c04a7fcb0ab3340990da01bef428f8f3ca500fd
Instruction ID: f1e4d74f1662ffe2f84777f5e3c586f1c05fb023ac73640bab05d7e723d3f3b8
Opcode Fuzzy Hash: eb4a4ef56f16a8534ab8d8a13c04a7fcb0ab3340990da01bef428f8f3ca500fd
Instruction Fuzzy Hash: FD31E4725057405BD7209F258C4462FB7E5EFCA364F044F1EFAACA22D0E770990496A3

Function 00D29280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00E6D15C,00000000,74D723A0,-00EA9880), ref: 00D296C9

Strings

Ws2_32.dll, xrefs: 00D2969A

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 385f5493dd4d7cc9a044049ce9af8bae22fc3a164e80f94aa0e179572a70811f
Instruction ID: 809cdb777cf377856743dfa59997f496825b574d8286debc23098af782abb3cc
Opcode Fuzzy Hash: 385f5493dd4d7cc9a044049ce9af8bae22fc3a164e80f94aa0e179572a70811f
Instruction Fuzzy Hash: CA02E170D04298DFDF25CFA4D8A07ADFBB0EF65314F24429DE4856B286D7701986CBA2

Function 058B099B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: 61e1a3cb27d88c8505c7c894bd648c86245afedf9a3605044de5726ffac50db8
Instruction ID: 72dc83264b5f9a214ce8e26eb25f6ed42ebf181afda81a208f2b0cbaf141fd29
Opcode Fuzzy Hash: 61e1a3cb27d88c8505c7c894bd648c86245afedf9a3605044de5726ffac50db8
Instruction Fuzzy Hash: 00518DEB24D219FDB102C1866B28AFB677FE6C6778730992AFC07D6642E3D40E495131

Function 058B0A0F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: 51b5df300beeedf58be59a8431e7dfbe8d59ea309e3b3faa3e2df10914288991
Instruction ID: f880303b10eaabd4c3ce1559ae59649db54002573367fd98e829c5ca06efb360
Opcode Fuzzy Hash: 51b5df300beeedf58be59a8431e7dfbe8d59ea309e3b3faa3e2df10914288991
Instruction Fuzzy Hash: 9541AFEB249219FDB102C0856B28AFB67AEE6D67387309926FC07D6342E3D00E895130

Function 058B0A51 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: 46bba515487846379bd40ca1fd8a5f43d2962b4a50ef014a8bfd36914fc17a28
Instruction ID: 66b9f6190a391b44da931f0329d28b852895b336febc4d32f2b87c8af6c0ceaa
Opcode Fuzzy Hash: 46bba515487846379bd40ca1fd8a5f43d2962b4a50ef014a8bfd36914fc17a28
Instruction Fuzzy Hash: 275190EB64D219FDB202C0856B28AFB676FE6D67387309966FD07C6342E7D00E495130

Function 058B0A7B Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: a5653fb004fa378dc444c02c7e232b030666437f969a5565c9b77fcb5e39c414
Instruction ID: e1d50c44698765f001be50db5870f8be7a22c3ae55179ccbc03b5c26808b21ef
Opcode Fuzzy Hash: a5653fb004fa378dc444c02c7e232b030666437f969a5565c9b77fcb5e39c414
Instruction Fuzzy Hash: EB41B1EB24C219FDB602C0852B68AFB67AFE6D67783309966FC07C6346E7D04E495130

Function 058B09FF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: d7bf555fecd454bdc8aea1b2e5f15864a1a769879d077d13cffff258054014fa
Instruction ID: 2cc577b818f4e394b2789ca063d03fb8dcbd8fb4bd03afb5093f2d534df62ed3
Opcode Fuzzy Hash: d7bf555fecd454bdc8aea1b2e5f15864a1a769879d077d13cffff258054014fa
Instruction Fuzzy Hash: 1541BFEB24D219FDB202C0856B28AFB676FE6D67387309926FD07C6342E3D40E495130

Function 058B0A20 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: 891e5b022816bff8a10b8f82abec7315c54a5ddb8dd96ce106acfb6340ad1a8e
Instruction ID: 7df76e16d2b08ce7f16cf7e305048b83c6aeb69ca2ba48cad5484ea81dcfa69c
Opcode Fuzzy Hash: 891e5b022816bff8a10b8f82abec7315c54a5ddb8dd96ce106acfb6340ad1a8e
Instruction Fuzzy Hash: 73419FEB24D219FDB102C0852B68AFB67BEE6D67387308566FD07C6342E7D40E495131

Function 058B0A3A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: c7c25fb26dfeb6e045893c9f579b18dd9deae2076bcb44e08b4e2123be5bb5e8
Instruction ID: a3a9cc379ba2e24633e6f44fa0d64d8f8a9cffc5c45d9c6242cb58648d468922
Opcode Fuzzy Hash: c7c25fb26dfeb6e045893c9f579b18dd9deae2076bcb44e08b4e2123be5bb5e8
Instruction Fuzzy Hash: 76418FEB24C219FDB102C0852B28AFB676EE6D67783308926FD07C6346E7D04E495130

Function 058B0A5C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: 0ef90d0a47c978f0bede79391fc1ee2a7c0f32386eca6c9ba7f5a069e53051cf
Instruction ID: cbc2d1aef760c433e758ff556ae6b0a030a73eaa5fba17182a510677ff2af0b6
Opcode Fuzzy Hash: 0ef90d0a47c978f0bede79391fc1ee2a7c0f32386eca6c9ba7f5a069e53051cf
Instruction Fuzzy Hash: AC41A0EB24C219FDB102D0852B28AFB67BEE6D6774730896AFD07D6342E3D00E495130

Function 058B0AE1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: 11cea63725411a9450b18e433647b57b2d747d791497bb79e7d2e51be5a53098
Instruction ID: 3a691797455efb99ba32705da7363abebd6352eb8a89eb7108f96e752daf0a7e
Opcode Fuzzy Hash: 11cea63725411a9450b18e433647b57b2d747d791497bb79e7d2e51be5a53098
Instruction Fuzzy Hash: E4417EEB248219FDB602D0862B28AFB67BEE6C67743308467FD07C6346E7D40E495171

Function 058B0B1D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 058B0B3D

Strings

Y>, xrefs: 058B0BC6

Memory Dump Source

Source File: 0000000B.00000002.3463147741.00000000058B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58b0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: Y>
API String ID: 2104809126-159164770
Opcode ID: ef16b7a8b4ea711f2c35d0bf49a847b246469ce80502fb2bcb3a737c17a602d6
Instruction ID: 1ec3d382d8e34c95249ec2ae6e4852709c73b7b397dcdd4c0d4ac29a27fd13cc
Opcode Fuzzy Hash: ef16b7a8b4ea711f2c35d0bf49a847b246469ce80502fb2bcb3a737c17a602d6
Instruction Fuzzy Hash: DE31C3EB648219FEB202D1852A68AFB677ED6C6734330846AFC07D6242E7D10E495170

Function 00D69789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00D6990E

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 54d1df9dc3cd49a2c573be7b70e7697fbc9748c3f6d8a60caf79bb356e82f9e9
Instruction ID: 6942448e014ac597b9a17791f89b7d05d72f83fbcaea1c2f040100fbef18ee7b
Opcode Fuzzy Hash: 54d1df9dc3cd49a2c573be7b70e7697fbc9748c3f6d8a60caf79bb356e82f9e9
Instruction Fuzzy Hash: 826190B1D04119BFDF11DFA8C894AAEFBBDAF4A304F18014AE940A7256D732D905DBB1

Function 00D6251C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00D62626,?,?,?,?,?), ref: 00D62558

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8d405d26a69ca3f753616799157ea8811d834c54dd990a427fea83b6d95a88cc
Instruction ID: c31e598a2e5bbf8ea1c3e27755d5233a6c90a3685dd0999de3ab16fd82f25cff
Opcode Fuzzy Hash: 8d405d26a69ca3f753616799157ea8811d834c54dd990a427fea83b6d95a88cc
Instruction Fuzzy Hash: 4A014932600648AFCF19DF59CC15CAE7B29DF85330B380208F8419B2A0EA71ED418BB0

Function 00D232D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00D2331F

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 984c53d920273aa7d6f5b707e195fd496de202d6d9244376501c68c92e223d37
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: BEF0B4725001249BDF14AF64E4155E9B3E8DF343A6754097EEC8DC7212EF2ADB5487B0

Function 00D6A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00D69FE0,00000001,00000364,00000001,00000006,000000FF,?,00D54B3F,?,?,74D723A0,?), ref: 00D6A69B

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d616996c32d6e6b1da655f6594052894a09903e382972b36b66dffa47e0b035f
Instruction ID: 6cd90ebfda477ddda6ff3f38fdb8ea06b99017dc23f6000f61ba745b02f0f439
Opcode Fuzzy Hash: d616996c32d6e6b1da655f6594052894a09903e382972b36b66dffa47e0b035f
Instruction Fuzzy Hash: CFF0E232111D216F9B216AEEDC01A6A378DAF417A0F1D8162ECC4FB084CA30EC008EF6

Function 00D6B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00D54B3F,?,?,74D723A0,?,?,00D23522,?,?), ref: 00D6B0C7

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e7f2ad84ff4f40e5c93959ec6735a95c2d2d4fe906f40f2d1c9dd43c23f87161
Instruction ID: a9bf65d9de2aa9efdd69fe9491accb7e5144e05746a6f78f16eb253d5eef1747
Opcode Fuzzy Hash: e7f2ad84ff4f40e5c93959ec6735a95c2d2d4fe906f40f2d1c9dd43c23f87161
Instruction Fuzzy Hash: F1E092312416216BEB3136A59C11B5B7E4DDF433B1F1D0212FC64E61C2DB21DC9486F5

Function 00D68DFF Relevance: 1.3, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,00D68CE6,00000000,?,00E9A178,0000000C,00D68DA2,?,?,?), ref: 00D68E55

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: da0a2699d77dadcbc751361e83aa879b6b648cb695f20bd07eaf4d7a0e04bee1
Instruction ID: e759ea42ccfa96ef364e3f56d88076b63b4ff01b3d64ee9408f298d7c56eefe3
Opcode Fuzzy Hash: da0a2699d77dadcbc751361e83aa879b6b648cb695f20bd07eaf4d7a0e04bee1
Instruction Fuzzy Hash: 62112B37A051146BC72523359C49B7E67498F92734F2D071DF9189B1D3EE63DC816171

Function 058C0221 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3353eec61dc6875b7050587dbd3c956e87c3a65fdc54bca37c0a2bf6b02374a7
Instruction ID: 21e80c90e2b90b8417eb95924211c0ace80e45a2549d505d47fc6db237e3b4d7
Opcode Fuzzy Hash: 3353eec61dc6875b7050587dbd3c956e87c3a65fdc54bca37c0a2bf6b02374a7
Instruction Fuzzy Hash: 2F113A9240C30CEF8202D6B8478D6BD7F6B67563F872485EDFC07DA502C274DE058222

Function 058C0240 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6ca9743c89232b0583f84cdfd5a0129c98a6ce1918bf0b0a93bc2aa3000e91
Instruction ID: e26ba9690ad6b1e8afa6d9343c3bc793787921af220ad77c7204792988dc9dc0
Opcode Fuzzy Hash: cd6ca9743c89232b0583f84cdfd5a0129c98a6ce1918bf0b0a93bc2aa3000e91
Instruction Fuzzy Hash: 621199A240C31CEF8202E679468D2BDAF5327122F472485BDAC03D7942D674DA099112

Function 058C021C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee4158dab11e08e853d45d98e976aead0fdbd78d38e61d0a5affcb4df96ca68
Instruction ID: fbd4bf91e5a85c92f8c0e285018fb684672080b3ab9b8f894a570204f52e9afd
Opcode Fuzzy Hash: 3ee4158dab11e08e853d45d98e976aead0fdbd78d38e61d0a5affcb4df96ca68
Instruction Fuzzy Hash: E11129A240C30CEF8102D6B9978D6BD7F6A67563F872085EDFC07D6502D274EE059122

Function 058C0230 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f059b53ea43314c62b8b03813d7f2627f7492141aa4f87a0c052180e81f68230
Instruction ID: 128715879686f9fe9975674c20905f457045d045b259d2915551dd9c3227e6d3
Opcode Fuzzy Hash: f059b53ea43314c62b8b03813d7f2627f7492141aa4f87a0c052180e81f68230
Instruction Fuzzy Hash: FC11299650C31CEF8602D675568D2FD6F5667532F832485EDEC07D6902C1B4DE059122

Function 058C0300 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc4c47adf77587b61f5e1c210dd15e77b9f5966e70c2075db0589e901491051d
Instruction ID: 282cdedcfd277767da1abce0905d275997ce49e0c2d87ddc346d4151407fe513
Opcode Fuzzy Hash: fc4c47adf77587b61f5e1c210dd15e77b9f5966e70c2075db0589e901491051d
Instruction Fuzzy Hash: 0701686740D718EFC202DA75964DABC7F62BA436F433489EEEC07C6901E174DE4A5121

Function 058C0261 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59729142d40071210a5c990b3bfb776cb5c77030da5e96e3cfa29cd1835c1f81
Instruction ID: 3c76e1e1e9693269c57c347a1b86a809159eeeda83ba5372976772576e9bf73d
Opcode Fuzzy Hash: 59729142d40071210a5c990b3bfb776cb5c77030da5e96e3cfa29cd1835c1f81
Instruction Fuzzy Hash: 7C01689640C31CEF8602E679574D2FC6F6267122F87348AEDEC03D6542C6B4DE499122

Function 058C026E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1732b8f8a5f7cf56cbce86a2746ae05b0dc0f9b8e3a6b02267761374b0f69836
Instruction ID: cf1ea061082afb4140765de78f00c0337e8378851ed1e99c12554b9c0fa46c1f
Opcode Fuzzy Hash: 1732b8f8a5f7cf56cbce86a2746ae05b0dc0f9b8e3a6b02267761374b0f69836
Instruction Fuzzy Hash: 080128A640D31CDB8601E675578D2FDBF616B022F473489EDEC03D7542D5B49E499222

Function 058C034A Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c27ecccb8fba897e1479dfa44aa2314d16f48e998c723df2c3ebc0cbb261cde
Instruction ID: e1f2c52e90f971c6afa61ddaadc959d7f733987fd4e625783a886ddb5facb204
Opcode Fuzzy Hash: 5c27ecccb8fba897e1479dfa44aa2314d16f48e998c723df2c3ebc0cbb261cde
Instruction Fuzzy Hash: 3D017B2611D714EBC602EA78564D9FD7F21BA925F433899DFD883CA402D130DD4A86A1

Function 058C028C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 757c2fd72cdd8228c9af952da58d8c22905a7ff6bc52288172ea2f86f4f7b95f
Instruction ID: 2e305aa981256fc62d29153d2851257f0f20a8095dd6c3432900b29d5386cf94
Opcode Fuzzy Hash: 757c2fd72cdd8228c9af952da58d8c22905a7ff6bc52288172ea2f86f4f7b95f
Instruction Fuzzy Hash: 1B0147A640C30CEF8201E6B5578D2FDAF6166122F473489ADEC03D7542C5B48A099122

Function 058C029D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40cb177053dd65d8c3ec6696f45005e5adea29b4237981b74c4ff07c1a635795
Instruction ID: 86cce770bc0cf5c4d2691033cd1f92a158839d79405c5e5519289c3ef1757c1a
Opcode Fuzzy Hash: 40cb177053dd65d8c3ec6696f45005e5adea29b4237981b74c4ff07c1a635795
Instruction Fuzzy Hash: A0012BA610831CEFC201D7B5578D2FDBF6167026F473489EDEC47D7542D5B48A499222

Function 058C02C6 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a578c53486a5ec19ab826648acd67de5d240d0c4cf275d2dbe4638cf11038c1
Instruction ID: 7b5dfd775d997ad9ae4f51a7f81b708442bfe000353e247b815299892902ce08
Opcode Fuzzy Hash: 9a578c53486a5ec19ab826648acd67de5d240d0c4cf275d2dbe4638cf11038c1
Instruction Fuzzy Hash: F0F04C6740D308EFC601CAB9974D4BCBF6176462B8334C9FEEC53D6502D574C609A223

Function 058C027F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538e30ba780ccc59518ab3a3afe33b815d1e7ec18bcfdca6396b24982254f49e
Instruction ID: 50e070410c8e3abca64102d973d4384a132bfbd5f7bb8d6091813f5cd688167d
Opcode Fuzzy Hash: 538e30ba780ccc59518ab3a3afe33b815d1e7ec18bcfdca6396b24982254f49e
Instruction Fuzzy Hash: FCF04C6740D308EFD201CAB9574D57CBF6175422F8334C9EEEC53D5502D574CA09A223

Function 058C02E5 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f2fba13a5143a719b3ed8b61385d7e107ce061f2ba63fc3de62a15784f49b64
Instruction ID: 3c2ed950e22ced8ba577dfc6aabc7e5426ab51d3bd8e426e2c2c16688c6e092e
Opcode Fuzzy Hash: 7f2fba13a5143a719b3ed8b61385d7e107ce061f2ba63fc3de62a15784f49b64
Instruction Fuzzy Hash: F6F08BA350C318EBC201DA78174D1FC7FA5A6061B532489FEE847C5802D970CA0A9622

Function 058C02BF Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce400e54d7f63c552e5dc2c1865b95b04bd1446dd822eda374fdf320935df784
Instruction ID: d129c19a2a1b08b9c5965339c1912a66f0a0b95b0e9b792d57e62a98e4cf71d6
Opcode Fuzzy Hash: ce400e54d7f63c552e5dc2c1865b95b04bd1446dd822eda374fdf320935df784
Instruction Fuzzy Hash: 25F0596740C318EF8201DAB5174D17CBE6275422F4334C9FEEC07D1902C5B4CE099222

Function 058C032F Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3463282198.00000000058C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 058C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_58c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96d354f4d69b8cb273732246fc2a556f88550bfb409bf1b36b57e0d3a7f0e19f
Instruction ID: 6819b82d5e785462afb56e8077b97951445a88019338ffc4ee067da79ff9ec3e
Opcode Fuzzy Hash: 96d354f4d69b8cb273732246fc2a556f88550bfb409bf1b36b57e0d3a7f0e19f
Instruction Fuzzy Hash: 5CE0556650A308EFC201EAB46A4C5BD7BA569422B43348AFDE8A2C2882C674854E9321

Non-executed Functions

Function 00D5C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: e1f9adda3281e937fb19cf12b0e3b06702adfca8d545d5348acbeeb9fe1e1ff4
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: 59020A71E112199FDF14CFA9D8806AEBBF1EF48315F24826AED19E7340D731A945CBA0

Function 00D6BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D6BBEC

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 5f07a9cc17a5fe40273eb4ccb491e402edea27f6b491e74b4ec869f85a0cf407
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 3AB17832A006559FDB118F68CC82BEE7BA5EF55320F184166E905EF282D774D981CBB0

Function 00D572D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D57307
___except_validate_context_record.LIBVCRUNTIME ref: 00D5730F
_ValidateLocalCookies.LIBCMT ref: 00D57398
__IsNonwritableInCurrentImage.LIBCMT ref: 00D573C3
_ValidateLocalCookies.LIBCMT ref: 00D57418

Strings

csm, xrefs: 00D573AD

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4a4b8f2c91ec0e06f27e67b16365908ff09f655c680a5a97bd1c97b041c34fe3
Instruction ID: a78fb8560ce09f0e251e3656b7759b763f806b20bc8548dc48df563f8c86aab5
Opcode Fuzzy Hash: 4a4b8f2c91ec0e06f27e67b16365908ff09f655c680a5a97bd1c97b041c34fe3
Instruction Fuzzy Hash: 3141E730A042099FCF10DF68D885A9EBFA5EF04325F288095FC18AB351DB31E949DBB1

Function 00D3A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D3A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00D3A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3A0E7
__Getctype.LIBCPMT ref: 00D3A1C5
std::_Facet_Register.LIBCPMT ref: 00D3A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3A223

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 1fbdbc8f9c28f396f5fd5d52795b5b2b396d6b67ebfd8463ea489037c77ad661
Instruction ID: c69343f9229523ec0b8ab892a575373eef151b07c4a149cd453993da77223162
Opcode Fuzzy Hash: 1fbdbc8f9c28f396f5fd5d52795b5b2b396d6b67ebfd8463ea489037c77ad661
Instruction Fuzzy Hash: F3519AB0E00345DFCB11CF58C9417AEBBB0FB15714F188258D895AB391DB75AA48CBA2

Function 00D3C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D3C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00D3C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3C4A4
std::_Facet_Register.LIBCPMT ref: 00D3C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00D3C5C4

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 78cc96c51a16e02aeac93ecb29a0e06f219c707376dc9b2817eb8f5b9595ca69
Instruction ID: 539c1388c8f25b3c02965ff1e45adb225592dacf381d3c7ae112feb103cf2544
Opcode Fuzzy Hash: 78cc96c51a16e02aeac93ecb29a0e06f219c707376dc9b2817eb8f5b9595ca69
Instruction Fuzzy Hash: EE51BBB0900258DFDB11DF58D845BAEBBF0FF16354F288158E845BB381D7B5AA09CBA0

Function 00D24900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D2499F

Strings

ios_base::badbit set, xrefs: 00D24937, 00D24962
ios_base::failbit set, xrefs: 00D24828, 00D24941
ios_base::eofbit set, xrefs: 00D24946

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 3837ce1bec01d91ab6ee95856e00fa86612cc9806b0385423e40edbb017f6479
Instruction ID: 0bdcf26b321493409eea738f648d42cbc498d144f2e7f7639bd62e511d89abbb
Opcode Fuzzy Hash: 3837ce1bec01d91ab6ee95856e00fa86612cc9806b0385423e40edbb017f6479
Instruction Fuzzy Hash: 07117A72804B54ABCB10EA18AC03B663388DB01714F08462CFD689B281EB3498008BB2

Function 00D52729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00D52730
std::_Lockit::_Lockit.LIBCPMT ref: 00D5273B
std::_Lockit::~_Lockit.LIBCPMT ref: 00D527A9

Part of subcall function 00D5288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00D528A4

std::locale::_Setgloballocale.LIBCPMT ref: 00D52756

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: ca5b4d31c70d3d020939022c7dfd23f83a9f8578c4e2217166550f2d1202e342
Instruction ID: 48e301aaaadb3b8e9450fc4daa293293f47bc1c96f5b68eafef566897edf335c
Opcode Fuzzy Hash: ca5b4d31c70d3d020939022c7dfd23f83a9f8578c4e2217166550f2d1202e342
Instruction Fuzzy Hash: EE018875A002109FCB0AEB20984153D7BA1FF8A751B184009EC1527281CF34AA4ECBB1

Function 00D27350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D2750C
___std_exception_destroy.LIBVCRUNTIME ref: 00D27522

Strings

[json.exception., xrefs: 00D273A1

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 4954a6ca1b167a583f684f716c925e4412b330e127eec57c712bf9d69d96b0f6
Instruction ID: a2f792a603864cf12f5f574fa297fad6499b127799029ffde3095f90aa3857ae
Opcode Fuzzy Hash: 4954a6ca1b167a583f684f716c925e4412b330e127eec57c712bf9d69d96b0f6
Instruction Fuzzy Hash: 2351EFB1D047489FDB10DFA8D906BAEBBB4EF21314F148259E854A7282EBB45A44C7F1

Function 00D247F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00D2499F

Strings

ios_base::badbit set, xrefs: 00D24937, 00D24962
ios_base::failbit set, xrefs: 00D24828

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: bbd0bbe7c5e06df7a983a84388ae48632adfa9fe90034e72b81f91d24308c0ed
Instruction ID: 4a936c63177c90b7b85c70d796d49411eb7665653267e9575a2e2c11dbabb3be
Opcode Fuzzy Hash: bbd0bbe7c5e06df7a983a84388ae48632adfa9fe90034e72b81f91d24308c0ed
Instruction Fuzzy Hash: E64145B1C00244ABCB00DF58DC42BAEBBB8EF45314F18825DF954AB381DB759A00CBB1

Function 00D24040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D24061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D240C4

Strings

bad locale name, xrefs: 00D240E6

Memory Dump Source

Source File: 0000000B.00000002.3453097183.0000000000D21000.00000040.00000001.01000000.00000006.sdmp, Offset: 00D20000, based on PE: true

Associated: 0000000B.00000002.3452807186.0000000000D20000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3453097183.0000000000EA5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454183871.0000000000EAA000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000000EAD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001034000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000111A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.0000000001156000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000115D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3454307049.000000000116C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455605505.000000000116D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455904393.000000000130A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3455966053.000000000130B000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456038097.000000000130C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.3456092776.000000000130D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d20000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 70ee5c88f2ad0719cd9fe007a3d878664de4946e3cf75c32c0b4f00a81fb30ff
Instruction ID: 111f3d04fbd649ca44a9f2cf6be023f8faa7ced57c5dd20a56e0fbcdfe772cc8
Opcode Fuzzy Hash: 70ee5c88f2ad0719cd9fe007a3d878664de4946e3cf75c32c0b4f00a81fb30ff
Instruction Fuzzy Hash: 1311E670805B84EED721CFA8C50475BBFF4EF25714F14868DD89597781D3B95608C7A1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report dcmaM16D71.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
dcmaM16D71.exe

Function 04DA0785 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416
COMMON

Function 001C9280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Function 04DA09CC Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 265
COMMON

Function 00287B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Function 00288590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Function 04DA088B Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 321
COMMON

Function 04DA0856 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 318
COMMON

Function 04DA08AF Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 317
COMMON

Function 04DA08DE Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 306
COMMON

Function 04DA0874 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 305
COMMON

Function 04DA0943 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 253
COMMON

Function 04DA096A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 251
COMMON

Function 04DA095D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249
COMMON

Function 04DA0991 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240
COMMON

Function 04DA0A09 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231
COMMON