Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Analysis ID:	1435113
MD5:	6bf87e7f53315e6a41de8e99b6702341
SHA1:	125a7d887df3d2ab6f09e87d7c0ffc883eeea35b
SHA256:	7cf9c3f092afee2ba38d660aa59e263b329ecc899e583660cd3b59fcd29f9a02
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found stalling execution ending in API Sleep call

Hides threads from debuggers

PE file has nameless sections

Uses schtasks.exe or at.exe to add and modify task schedules

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe (PID: 5080 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe" MD5: 6BF87E7F53315E6A41DE8E99B6702341)

schtasks.exe (PID: 1012 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5688 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 1440 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6BF87E7F53315E6A41DE8E99B6702341)

MPGPH131.exe (PID: 6552 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6BF87E7F53315E6A41DE8E99B6702341)

RageMP131.exe (PID: 2724 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6BF87E7F53315E6A41DE8E99B6702341)

RageMP131.exe (PID: 5516 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6BF87E7F53315E6A41DE8E99B6702341)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe PID: 5080	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 1440	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6552	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 2724	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 5516	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, ProcessId: 5080, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:16.523614
SID:	2046266
Source Port:	58709
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:21.991545
SID:	2046267
Source Port:	58709
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-06:18:31.640435
SID:	2046269
Source Port:	49706
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:16.500069
SID:	2046266
Source Port:	58709
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-06:18:31.640434
SID:	2046269
Source Port:	49707
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-06:16:10.960089
SID:	2049060
Source Port:	49705
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-06:18:35.093509
SID:	2046269
Source Port:	49721
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:18.088207
SID:	2046267
Source Port:	58709
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:11.105907
SID:	2046266
Source Port:	58709
Destination Port:	49705
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:21.976112
SID:	2046267
Source Port:	58709
Destination Port:	49706
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:17:56.478700
SID:	2046267
Source Port:	58709
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:32.277727
SID:	2046266
Source Port:	58709
Destination Port:	49721
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-06:18:31.734139
SID:	2046269
Source Port:	49716
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 147.45.47.93

Timestamp:	05/02/24-06:18:31.624622
SID:	2046269
Source Port:	49705
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:17:43.913022
SID:	2046267
Source Port:	58709
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.5

Timestamp:	05/02/24-06:16:26.984352
SID:	2046266
Source Port:	58709
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 50%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 51%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 51%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Virustotal: Detection: 51%			Perma Link
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	ReversingLabs: Detection: 50%

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49726 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00092012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00092012
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00143B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00143B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000F13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_000F13F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000F1680 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlen,	0_2_000F1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00091F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00091F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F01F8C FindClose,FindFirstFileExW,GetLastError,	6_2_00F01F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F01F8C FindClose,FindFirstFileExW,GetLastError,	7_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00801F8C FindClose,FindFirstFileExW,GetLastError,	8_2_00801F8C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49716 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49721
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49721 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49721

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_00125940 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,

0_2_00125940

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/6K
Source: MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/Gf
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225(
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2251
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225c
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225le
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225leM
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225sstD24
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225t
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225u
Source: MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001B6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/N
Source: MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/X
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001319000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001BB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881296394.0000000001BB8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225$
Source: MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225Ly
Source: MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225&
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.2256
Source: MPGPH131.exe, 00000007.00000002.3551189307.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225e
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.R
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botQ=
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3552227478.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000003.3012779154.00000000013A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: MPGPH131.exe, RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary

PE file has nameless sections

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00158080	0_2_00158080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_001A40A0	0_2_001A40A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0019C8D0	0_2_0019C8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_001920C0	0_2_001920C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0009A918	0_2_0009A918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00101130	0_2_00101130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0009C950	0_2_0009C950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_001A3160	0_2_001A3160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00097190	0_2_00097190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_001A5A40	0_2_001A5A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000ADA74	0_2_000ADA74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0019F280	0_2_0019F280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_001A4AE0	0_2_001A4AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00150350	0_2_00150350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000A035F	0_2_000A035F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00144B90	0_2_00144B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000B8BA0	0_2_000B8BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000F0BA0	0_2_000F0BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0008F570	0_2_0008F570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000B25FE	0_2_000B25FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000B8E20	0_2_000B8E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00101E40	0_2_00101E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000F1680	0_2_000F1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000B47AD	0_2_000B47AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0014CFC0	0_2_0014CFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0014BFC0	0_2_0014BFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A06DA	0_2_7F5A06DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0000	0_2_7F5A0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F07190	6_2_00F07190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F0C950	6_2_00F0C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F0A918	6_2_00F0A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F1DA74	6_2_00F1DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F28BA0	6_2_00F28BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FC0350	6_2_00FC0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F1035F	6_2_00F1035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F225FE	6_2_00F225FE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00EFF570	6_2_00EFF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00FBCFC0	6_2_00FBCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F247AD	6_2_00F247AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_7F8C06DA	6_2_7F8C06DA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_7F8C0000	6_2_7F8C0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F07190	7_2_00F07190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F0C950	7_2_00F0C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F0A918	7_2_00F0A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F1DA74	7_2_00F1DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F28BA0	7_2_00F28BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00FC0350	7_2_00FC0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F1035F	7_2_00F1035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F225FE	7_2_00F225FE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00EFF570	7_2_00EFF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00FBCFC0	7_2_00FBCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F247AD	7_2_00F247AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7ECD06DA	7_2_7ECD06DA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7ECD0000	7_2_7ECD0000
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00807190	8_2_00807190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0080A918	8_2_0080A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0080C950	8_2_0080C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0081DA74	8_2_0081DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00828BA0	8_2_00828BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_008C0350	8_2_008C0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0081035F	8_2_0081035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_007FF570	8_2_007FF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_008225FE	8_2_008225FE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_008247AD	8_2_008247AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_008BCFC0	8_2_008BCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_7F0906DA	8_2_7F0906DA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_7F090000	8_2_7F090000

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: String function: 0007ACE0 appears 40 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00F04370 appears 48 times

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: Section: ZLIB complexity 0.999750239769821
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: Section: ZLIB complexity 0.9934138808139535
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: Section: ZLIB complexity 0.9931640625
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999750239769821
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9934138808139535
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931640625
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999750239769821
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9934138808139535
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931640625
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@3/3

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_00144B90 CopyFileA,GetLastError,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,

0_2_00144B90

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Virustotal: Detection: 51%
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	ReversingLabs: Detection: 50%

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Static file information: File size 3219456 > 1048576

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22b000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Unpacked PE file: 0.2.SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe.60000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.ed0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.ed0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.7d0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 10.2.RageMP131.exe.7d0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_0012C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_0012C630

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00093F49 push ecx; ret	0_2_00093F5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0F50 push 7F5A0002h; ret	0_2_7F5A0F5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A2750 push 7F5A0002h; ret	0_2_7F5A275F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1F40 push 7F5A0002h; ret	0_2_7F5A1F4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1F70 push 7F5A0002h; ret	0_2_7F5A1F7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1760 push 7F5A0002h; ret	0_2_7F5A176F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1F10 push 7F5A0002h; ret	0_2_7F5A1F1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1700 push 7F5A0002h; ret	0_2_7F5A170F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1730 push 7F5A0002h; ret	0_2_7F5A173F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0F20 push 7F5A0002h; ret	0_2_7F5A0F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A2720 push 7F5A0002h; ret	0_2_7F5A272F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1FD0 push 7F5A0002h; ret	0_2_7F5A1FDF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A17C0 push 7F5A0002h; ret	0_2_7F5A17CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A17F0 push 7F5A0002h; ret	0_2_7F5A17FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0FE0 push 7F5A0002h; ret	0_2_7F5A0FEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A27E0 push 7F5A0002h; ret	0_2_7F5A27EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1790 push 7F5A0002h; ret	0_2_7F5A179F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0F80 push 7F5A0002h; ret	0_2_7F5A0F8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A2780 push 7F5A0002h; ret	0_2_7F5A278F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0FB0 push 7F5A0002h; ret	0_2_7F5A0FBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A27B0 push 7F5A0002h; ret	0_2_7F5A27BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1FA0 push 7F5A0002h; ret	0_2_7F5A1FAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1E50 push 7F5A0002h; ret	0_2_7F5A1E5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1640 push 7F5A0002h; ret	0_2_7F5A164F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1670 push 7F5A0002h; ret	0_2_7F5A167F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0E60 push 7F5A0002h; ret	0_2_7F5A0E6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A2660 push 7F5A0002h; ret	0_2_7F5A266F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A1610 push 7F5A0002h; ret	0_2_7F5A161F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0E00 push 7F5A0002h; ret	0_2_7F5A0E0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A2600 push 7F5A0002h; ret	0_2_7F5A260F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_7F5A0E30 push 7F5A0002h; ret	0_2_7F5A0E3F

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name: entropy: 7.999603691993064
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name: entropy: 7.991172527649386
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name: entropy: 7.81663229040033
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Static PE information: section name: entropy: 7.993404858996497
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.999603691993064
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.991172527649386
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.81663229040033
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.993404858996497
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.999603691993064
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.991172527649386
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.81663229040033
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.993404858996497

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-29360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_6-15246

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Window / User API: threadDelayed 727	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Window / User API: threadDelayed 7866	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 8742	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 8977	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 552	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 4479	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 3891	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 425	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 4886	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 3934	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 495	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-29359
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_6-15245
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_6-17743
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_0-29967

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296	Thread sleep count: 727 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296	Thread sleep count: 162 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2468	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2468	Thread sleep time: -101000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232	Thread sleep count: 347 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232	Thread sleep time: -347000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296	Thread sleep count: 40 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232	Thread sleep count: 7866 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232	Thread sleep time: -7866000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296	Thread sleep count: 200 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep count: 266 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6392	Thread sleep count: 8742 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6392	Thread sleep time: -8742000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5864	Thread sleep count: 125 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5864	Thread sleep time: -125000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep count: 244 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164	Thread sleep count: 8977 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164	Thread sleep time: -8977000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6156	Thread sleep count: 77 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6156	Thread sleep time: -77000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092	Thread sleep count: 552 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3252	Thread sleep count: 4479 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3252	Thread sleep time: -4479000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 368	Thread sleep count: 3891 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 368	Thread sleep time: -3891000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092	Thread sleep count: 425 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092	Thread sleep time: -42925s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5060	Thread sleep count: 4886 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5060	Thread sleep time: -4886000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1172	Thread sleep count: 3934 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1172	Thread sleep time: -3934000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5480	Thread sleep count: 495 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5480	Thread sleep time: -49995s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00092012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00092012
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00143B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_00143B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000F13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_000F13F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_000F1680 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlen,	0_2_000F1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00091F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00091F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F01F8C FindClose,FindFirstFileExW,GetLastError,	6_2_00F01F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F01F8C FindClose,FindFirstFileExW,GetLastError,	7_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00801F8C FindClose,FindFirstFileExW,GetLastError,	8_2_00801F8C

Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001B99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000006.00000003.2137786762.000000000082D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E\|
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000007.00000002.3551189307.0000000001B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000+
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: vmware
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#$_
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000A.00000003.2295286562.0000000001B15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000006.00000002.3549743484.000000000081B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ~\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000g}
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.000000000133B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000X
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V (guest)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}7
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001B6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000T
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.3551189307.0000000001B8F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.000000000133B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.000000000081B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B8F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000003.2295286562.0000000001B13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000007.00000003.2137471360.0000000001BA5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000003.2242313224.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000003.2242313224.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:;
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001347000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Via W
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};3
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: xVBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.000000000133B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sik&ven_vmware&prod_vidi&1656f219&0&000000#{07f-11d0-94f2-00a0c91e
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW[
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_00098A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00098A54

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

0_2_0012C630

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_000F1680 mov eax, dword ptr fs:[00000030h]

0_2_000F1680

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_00146E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_00146E20

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_00098A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00098A54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0009450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0009450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F08A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00F08A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F0450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00F0450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F08A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00F08A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F0450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00F0450D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00808A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_00808A54
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0080450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_0080450D

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: 0_2_0012C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	0_2_0012C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00F9C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	6_2_00F9C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00F9C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	7_2_00F9C630
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0089C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	8_2_0089C630

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: EnumSystemLocalesW,	0_2_000AB1A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetLocaleInfoW,	0_2_000B31B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_000B32E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_000B2B48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetLocaleInfoW,	0_2_000B33E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_000B34BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetLocaleInfoW,	0_2_000B2D4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: EnumSystemLocalesW,	0_2_000B2DF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: EnumSystemLocalesW,	0_2_000B2E3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: EnumSystemLocalesW,	0_2_000B2EDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetLocaleInfoW,	0_2_000AB726
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_000B2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00F231B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00F1B1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00F232E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00F233E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00F22B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00F234BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00F22DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00F22D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00F22EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00F22E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00F22F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00F1B726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00F231B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00F1B1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00F232E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00F233E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_00F22B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00F234BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00F22DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00F22D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00F22EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00F22E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00F22F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00F1B726
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_0081B1A3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_008231B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_008232E1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_008233E7
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_00822B48
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_008234BD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_00822DF4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_00822D4D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_00822EDA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_00822E3F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_0081B726
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_00822F65

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_0009360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0009360D

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Code function: 0_2_7F5A1AC0 GetUserNameA,

0_2_7F5A1AC0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 2724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5516, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1440, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6552, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 2724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Query Registry	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Virtualization/Sandbox Evasion	Cached Domain Credentials	221 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	11 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	51%	Virustotal		Browse
SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	50%	ReversingLabs	Win32.Trojan.Privateloader
SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe	100%	Avira	HEUR/AGEN.1306558

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	HEUR/AGEN.1306558
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	HEUR/AGEN.1306558
C:\ProgramData\MPGPH131\MPGPH131.exe	50%	ReversingLabs	Win32.Trojan.Privateloader
C:\ProgramData\MPGPH131\MPGPH131.exe	51%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	50%	ReversingLabs	Win32.Trojan.Privateloader
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	51%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
https://t.R	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	104.26.5.15	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=191.96.150.225	false		high
https://ipinfo.io/widget/demo/191.96.150.225	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/X	MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225sstD24	MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225t	MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225u	MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false		high
https://db-ip.com/	RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.2251	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=191.96.150.225P	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false		high
https://ipinfo.io:443/widget/demo/191.96.150.2256	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/N	RageMP131.exe, 00000008.00000002.3552009163.0000000001B6D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botQ=	MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/widget/demo/191.96.150.225Ly	MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/191.96.150.225	MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/Gf	MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/Mozilla/5.0	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro	MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.R	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot	MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225le	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/191.96.150.225&	RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/6K	RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki-ocsp.symauth.com0	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false	URL Reputation: safe	unknown
https://ipinfo.io:443/widget/demo/191.96.150.225e	MPGPH131.exe, 00000007.00000002.3551189307.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.maxmind.com/en/locate-my-ip-address	MPGPH131.exe, RageMP131.exe	false		high
https://ipinfo.io/widget/demo/191.96.150.225$	RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225(	RageMP131.exe, 00000008.00000002.3552009163.0000000001BBC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=191.96.150.225	MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botrisepro	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3552227478.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000003.3012779154.00000000013A5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225leM	RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=191.96.150.225c	RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435113
Start date and time:	2024-05-02 06:15:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:16:11	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
06:16:11	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
06:16:12	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
06:16:20	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
06:16:43	API Interceptor	1132289x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe modified
06:16:49	API Interceptor	1685074x Sleep call for process: MPGPH131.exe modified
06:16:57	API Interceptor	1316932x Sleep call for process: RageMP131.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
147.45.47.93	file.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	LummaC, GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.3413.25873.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
104.26.5.15	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	api.db-ip.com/v2/free/127.0.0.1
	Nemty.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/84.17.52.2/countryName
	227.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/102.129.143.40/countryName

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	34.117.186.192
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse	34.117.186.192
db-ip.com	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	172.67.75.166
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	WlCIinu0yp.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Socks5Systemz, Vidar, zgRAT	Browse	104.26.4.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://herozheng.com/	Get hash	malicious	Unknown	Browse	34.117.152.183
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://wywljs.com/	Get hash	malicious	Unknown	Browse	34.117.152.183
	https://xdywna.com/	Get hash	malicious	Unknown	Browse	34.117.152.183
	831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	34.117.186.192
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	MegaUniversesMQ.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	Iauncher.exe	Get hash	malicious	RedLine	Browse	147.45.47.65
	Iauncher.exe	Get hash	malicious	RedLine	Browse	147.45.47.65
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	193.233.132.226
	2zdult23rz.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.175
	fBirvIlaOJ.exe	Get hash	malicious	RedLine	Browse	147.45.47.36
	VOrqSh1Fts.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse	193.233.132.234
CLOUDFLARENETUS	Fizet#U00e9s,pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	G1lnGpOLK4.exe	Get hash	malicious	Njrat	Browse	104.20.3.235
	https://www.postermywall.com/index.php/posterbuilder/view/2ce9c49c8ff31b813c516187dd74b5b6/0	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse	104.26.9.44
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	104.16.117.116
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.18.91.62
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.18.89.62
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.18.89.62
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	Signature requested-Fiona QR.png	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Detailed RFQ3.xll	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	IT1_Individual_Resident_Return_XLS.xls	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	Pedido-Faturado-39873.msi	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	https://broken-rain-1a74.1rwvvy66.workers.dev/	Get hash	malicious	HTMLPhisher	Browse	104.26.5.15 34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	831107010C8578AD95A12C5498B03755EAC398B5BBC0D.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.2624.6335.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	tZvjMg3Hw9.exe	Get hash	malicious	PureLog Stealer, RedLine, RisePro Stealer, Vidar, zgRAT	Browse	104.26.5.15 34.117.186.192
	https://2625819278.org/MIg2p2	Get hash	malicious	HTMLPhisher	Browse	104.26.5.15 34.117.186.192

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3219456
Entropy (8bit):	7.973694392547135
Encrypted:	false
SSDEEP:	98304:jla6IwxUx3q/LzoApQvwkjnMTOpGG33B246QglY:jla3wxU5q/L8obkjMWGG33B2HG
MD5:	6BF87E7F53315E6A41DE8E99B6702341
SHA1:	125A7D887DF3D2AB6F09E87D7C0FFC883EEEA35B
SHA-256:	7CF9C3F092AFEE2BA38D660AA59E263B329ECC899E583660CD3B59FCD29F9A02
SHA-512:	64689448759CA4280D3EFACF836407E6C6F8BEA6EC13AF9BD2951A1ED6744E42F5717D8D5D590E5E0D7BCD31E60113B9A6ED7FD4DEC6538FF4D34F420F2EC33E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y...s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L.....2f...............'............d9............@..........................P............@... .. .... .. ..........P.....................................0........................................................................................................................@.......................................@............P... .......0..............@................p.......8..............@................ ...`...8..............@....rsrc...............................@..@.........0y..p...(...H..............@....data....."......."..p..............@...................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3219456
Entropy (8bit):	7.973694392547135
Encrypted:	false
SSDEEP:	98304:jla6IwxUx3q/LzoApQvwkjnMTOpGG33B246QglY:jla3wxU5q/L8obkjMWGG33B2HG
MD5:	6BF87E7F53315E6A41DE8E99B6702341
SHA1:	125A7D887DF3D2AB6F09E87D7C0FFC883EEEA35B
SHA-256:	7CF9C3F092AFEE2BA38D660AA59E263B329ECC899E583660CD3B59FCD29F9A02
SHA-512:	64689448759CA4280D3EFACF836407E6C6F8BEA6EC13AF9BD2951A1ED6744E42F5717D8D5D590E5E0D7BCD31E60113B9A6ED7FD4DEC6538FF4D34F420F2EC33E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 50% Antivirus: Virustotal, Detection: 51%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y...s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L.....2f...............'............d9............@..........................P............@... .. .... .. ..........P.....................................0........................................................................................................................@.......................................@............P... .......0..............@................p.......8..............@................ ...`...8..............@....rsrc...............................@..@.........0y..p...(...H..............@....data....."......."..p..............@...................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	3.0269868333592873
Encrypted:	false
SSDEEP:	3:LuXX6VSn:KH64n
MD5:	479B2EFD1943075EC8248C3251A53959
SHA1:	D266A5335A60A78E9F13F7C830E6BEA4AC44788A
SHA-256:	2F4D20EC61332D99740BECB34D0FF06B41EB33848651D86612251035ED6AE21C
SHA-512:	5108C5B4AA7A7D5009A62ADDAE4518B36040D96E5F4C23E63DB6C658BEFE21AAA90ABA5613F4DF3331BA986579D632CF8EF601423F97CB6F921DDEE4D2DF3CCC
Malicious:	false
Reputation:	low
Preview:	1714628049377

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.973694392547135
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
File size:	3'219'456 bytes
MD5:	6bf87e7f53315e6a41de8e99b6702341
SHA1:	125a7d887df3d2ab6f09e87d7c0ffc883eeea35b
SHA256:	7cf9c3f092afee2ba38d660aa59e263b329ecc899e583660cd3b59fcd29f9a02
SHA512:	64689448759ca4280d3efacf836407e6c6f8bea6ec13af9bd2951a1ed6744e42f5717d8d5d590e5e0d7bcd31e60113b9a6ed7fd4dec6538ff4d34f420f2ec33e
SSDEEP:	98304:jla6IwxUx3q/LzoApQvwkjnMTOpGG33B246QglY:jla3wxU5q/L8obkjMWGG33B2HG
TLSH:	76E5334F281CF981EA48253D956AE9B6C5CEAC4BA51A400D60F2FF5FF1F2924E578343
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	4c4d96ec0ce6c600

Static PE Info

General

Entrypoint:	0xf63964
Entrypoint Section:	.data
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x663202DB [Wed May 1 08:52:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	272279f18f704f637aa129691266b291

Entrypoint Preview

Instruction
jmp 00007F03C0EFD0FAh
add byte ptr [eax+0Eh], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-18h], ah
add byte ptr [eax], al
add byte ptr [eax], al
pop ebp
sub ebp, 00000010h
sub ebp, 00B63964h
jmp 00007F03C0EFD0F9h
dec edx
cmp ebx, dword ptr [B63964B8h]
add byte ptr [ebx], al
lds eax, fword ptr [ecx+00004CC0h]
add byte ptr [ecx+000005CDh], bh
mov edx, FA1E5B64h
xor byte ptr [eax], dl
inc eax
dec ecx
jne 00007F03C0EFD0ECh
jmp 00007F03C0EFD0F9h
jnbe 00007F03C0EFD09Dh
inc eax
dec edx
out dx, eax
test eax, 6458EDEFh
in eax, A5h
pushfd
test eax, 646462DCh
fimul word ptr fs:[esp+64h]
xchg eax, ebx
xchg byte ptr [edi-54h], ah
out dx, eax
in eax, 68h
mov eax, dword ptr fs:[00E9h]
inc eax
cwde
in eax, dx
pushad
inc eax
xor al, 0Ch
mov byte ptr [eax+120C6445h], al
xor al, dh
dec eax
inc eax
or al, 30h
jnle 00007F03C0EFD0F1h
jbe 00007F03C0EFD07Eh
popad
lea edx, dword ptr fs:[esp+64h]
jmp 00007F03AE8810F6h
dec eax
inc eax
jmp 00007F03B05410FDh
loope 00007F03C0EFD15Eh
out dx, eax
int1
push EF646464h
jmp 00007F0425543569h
movsd
lea esp, dword ptr [esi+55h]
out A6h, ax
pushad
sub eax, 9B90E16Bh
wait
wait
cmp dword ptr [esi+00000000h], esp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x93d050	0xea0	.data
IMAGE_DIRECTORY_ENTRY_IMPORT	0x93def0	0x3b0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19c000	0xafa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x93d030	0x10	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x93d000	0x18	.data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x159000	0x92a00	2ab81961f00ec1dbd3ea5e132a10c457	False	0.999750239769821	data	7.999603691993064	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x15a000	0x28000	0x10200	dd255f77e9b46d5fd64423f7d185098f	False	0.9934138808139535	data	7.991172527649386	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x182000	0x5000	0x800	e92665bb7e02dd4504e9d9317c2216f6	False	0.9931640625	data	7.81663229040033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x187000	0xb000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x192000	0xa000	0x6000	25046cd7374b7bd38baef77a496b1ad7	False	1.0006510416666667	data	7.993404858996497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19c000	0xb000	0xb000	f55c5215c73a04b580fdee8f27a08ae5	False	0.11330344460227272	data	2.153423809128472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x1a7000	0x793000	0x32800	1475e5a817c2187eaaf1288227166d7e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x93a000	0x22b000	0x22b000	2d71a8720bf24717d875205a8b604ce8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19c250	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Russian	Russia	0.1320921985815603
RT_ICON	0x19c6b8	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 1600	Russian	Russia	0.10465116279069768
RT_ICON	0x19cd70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Russian	Russia	0.08770491803278689
RT_ICON	0x19d6f8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Russian	Russia	0.05722326454033771
RT_ICON	0x19e7a0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Russian	Russia	0.03475103734439834
RT_ICON	0x1a0d48	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	Russian	Russia	0.02509447331128956
RT_ICON	0x1a4f70	0x1aae	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.39780380673499266
RT_GROUP_ICON	0x1a6a20	0x68	data	Russian	Russia	0.7596153846153846
RT_VERSION	0x1a6a88	0x398	OpenPGP Public Key	Russian	Russia	0.42282608695652174
RT_MANIFEST	0x1a6e20	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/02/24-06:16:16.523614	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49707	147.45.47.93	192.168.2.5
05/02/24-06:16:21.991545	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49707	147.45.47.93	192.168.2.5
05/02/24-06:18:31.640435	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49706	58709	192.168.2.5	147.45.47.93
05/02/24-06:16:16.500069	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49706	147.45.47.93	192.168.2.5
05/02/24-06:18:31.640434	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49707	58709	192.168.2.5	147.45.47.93
05/02/24-06:16:10.960089	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49705	58709	192.168.2.5	147.45.47.93
05/02/24-06:18:35.093509	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49721	58709	192.168.2.5	147.45.47.93
05/02/24-06:16:18.088207	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49705	147.45.47.93	192.168.2.5
05/02/24-06:16:11.105907	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49705	147.45.47.93	192.168.2.5
05/02/24-06:16:21.976112	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49706	147.45.47.93	192.168.2.5
05/02/24-06:17:56.478700	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49721	147.45.47.93	192.168.2.5
05/02/24-06:16:32.277727	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49721	147.45.47.93	192.168.2.5
05/02/24-06:18:31.734139	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49716	58709	192.168.2.5	147.45.47.93
05/02/24-06:18:31.624622	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49705	58709	192.168.2.5	147.45.47.93
05/02/24-06:17:43.913022	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	58709	49716	147.45.47.93	192.168.2.5
05/02/24-06:16:26.984352	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	58709	49716	147.45.47.93	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 06:16:10.728481054 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:10.917278051 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:10.917407990 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:10.960088968 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:11.105906963 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:11.158376932 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:11.200058937 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:14.952080011 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:15.199800014 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:16.122921944 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.146476984 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.311456919 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:16.311593056 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.318239927 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.334918022 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:16.335052967 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.349420071 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.500068903 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:16.523613930 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:16.546446085 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.559372902 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:16.577693939 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:16.590204954 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:18.088207006 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:18.140162945 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:19.666292906 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:19.666579008 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:19.903136015 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:19.903153896 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:19.908725977 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:19.908766031 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:19.908854008 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:19.910379887 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:19.910398960 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.171745062 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.171828985 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.176116943 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.176125050 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.176341057 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.218297958 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.398972034 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.444128036 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.546247005 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.546386957 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.546468973 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.552582979 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.552607059 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.552630901 CEST	49708	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:20.552637100 CEST	443	49708	34.117.186.192	192.168.2.5
May 2, 2024 06:16:20.656478882 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:20.656521082 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:20.656619072 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:20.663209915 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:20.663228035 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:20.850609064 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:20.850779057 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:20.853662014 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:20.853688002 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:20.854023933 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:20.855715990 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:20.896123886 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:21.102386951 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:21.102469921 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:21.102540970 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:21.103914022 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:21.103935003 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:21.103948116 CEST	49709	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:21.103954077 CEST	443	49709	104.26.5.15	192.168.2.5
May 2, 2024 06:16:21.104466915 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:21.340837002 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:21.859329939 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:21.905823946 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:21.976111889 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:21.991544962 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:22.030800104 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:22.046412945 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:22.146975994 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.147020102 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.147099972 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.149431944 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.149450064 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.219067097 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.219131947 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.219198942 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.222786903 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.222815037 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.404473066 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.404634953 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.406224012 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.406234980 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.406445026 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.448111057 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:22.478627920 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:22.478730917 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:24.170864105 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:24.170886040 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:24.171367884 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:24.218373060 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:24.364819050 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:24.501086950 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:24.516541958 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:24.577671051 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:24.577676058 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:24.593269110 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:25.185060024 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:25.243078947 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.251857996 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.288120031 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.296125889 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.414355993 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.414496899 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.414572954 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.422171116 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:25.425426006 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.425453901 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.425481081 CEST	49711	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.425487041 CEST	443	49711	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.437628031 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.437664032 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.437736988 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.438155890 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.438172102 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.622268915 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.622339964 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.623524904 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.623534918 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.623792887 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.625317097 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.658600092 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.658725977 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.658790112 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.658904076 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.658932924 CEST	49710	443	192.168.2.5	34.117.186.192
May 2, 2024 06:16:25.658931971 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.658941031 CEST	443	49710	34.117.186.192	192.168.2.5
May 2, 2024 06:16:25.660356998 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.660387993 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.660468102 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.660732985 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.660747051 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.668129921 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.843175888 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.843360901 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.855242014 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.855261087 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.855510950 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.857304096 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.879842997 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.879945040 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.880004883 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.880178928 CEST	49712	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:25.880219936 CEST	443	49712	104.26.5.15	192.168.2.5
May 2, 2024 06:16:25.884057045 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:25.904114962 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:26.097604036 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:26.097718000 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:26.097804070 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:26.100754976 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:26.100773096 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:26.100806952 CEST	49713	443	192.168.2.5	104.26.5.15
May 2, 2024 06:16:26.100811958 CEST	443	49713	104.26.5.15	192.168.2.5
May 2, 2024 06:16:26.104943991 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:26.121495008 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:26.341485977 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:26.606909990 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:26.795289040 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:16:26.795362949 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:26.802455902 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:26.984352112 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:16:27.043401957 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:16:27.093271017 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:29.692603111 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:29.734122038 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:29.894448042 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:29.925344944 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:29.956260920 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:29.956382036 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:29.966208935 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:30.143285990 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:30.200006962 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:30.200026989 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:16:30.390355110 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:16:31.900605917 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:32.088974953 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:16:32.089063883 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:32.100095034 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:32.277726889 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:16:32.327650070 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:32.340379000 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:16:35.390290976 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:35.824980021 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:16:45.468389988 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:45.702831984 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:16:51.358984947 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:51.359103918 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:16:51.590539932 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:16:51.590559959 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:00.765420914 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:00.996794939 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:01.124672890 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:01.356220961 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:07.046515942 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:07.046531916 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:07.093784094 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:07.277863979 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:07.277885914 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:07.324912071 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:07.406017065 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:07.637232065 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:10.546876907 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:10.778038979 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:13.338032007 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:13.338120937 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:13.338191986 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:13.574982882 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:13.575001955 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:13.575016022 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:14.251780033 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:14.481138945 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:17.249716997 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:17.249840021 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:17.481185913 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:17.481209993 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:17.546616077 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:17.778228045 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:20.390224934 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:20.390285969 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:20.390332937 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:20.390367031 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:20.621694088 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:20.621710062 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:20.621721983 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:20.621845007 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:20.687196970 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:20.918343067 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:23.531196117 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:23.531284094 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:23.531344891 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:23.762525082 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:23.762545109 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:23.762557983 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:23.812299967 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:24.045192003 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:26.656076908 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:26.656147003 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:26.656239033 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:26.656239033 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:26.887691021 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:26.887698889 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:26.887712002 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:26.887717962 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:26.952737093 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:27.184245110 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:29.797274113 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:29.797332048 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:29.797399998 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:29.797481060 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:30.027841091 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:30.027862072 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:30.027879000 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:30.027890921 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:30.093472958 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:30.325189114 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:32.937194109 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:32.937192917 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:32.937266111 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:32.943011045 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:33.168693066 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:33.168716908 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:33.168735027 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:33.184290886 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:33.218563080 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:33.450031042 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:36.078294992 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:36.078385115 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:36.078433990 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:36.078490973 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:36.309261084 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:36.309271097 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:36.309278011 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:36.309289932 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:36.363027096 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:36.605834961 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:39.218781948 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:39.218821049 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:39.218919039 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:39.218919039 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:39.449842930 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:39.449862957 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:39.449870110 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:39.449876070 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:39.501161098 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:39.731971979 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:42.343656063 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:42.343751907 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:42.343754053 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:42.343807936 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:42.574732065 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:42.574743986 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:42.574759960 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:42.574784994 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:42.625432014 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:42.856333017 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648056030 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648087978 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648113966 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648125887 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648149014 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648159981 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648176908 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.648179054 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648191929 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648205996 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648221016 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.648225069 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.648241043 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.648260117 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.737108946 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.749887943 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.752156019 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.765403032 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.836658955 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.836692095 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.836734056 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.836873055 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.836941957 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.836982965 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.837053061 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.837191105 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.837236881 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.843430042 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:43.913022041 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.981085062 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:43.996671915 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:44.022659063 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:44.074908018 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:45.484045029 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:45.715337038 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:46.859296083 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:46.875021935 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:46.968611002 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:47.031124115 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:47.090542078 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:47.106520891 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:47.201770067 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:47.262629986 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:48.609407902 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:48.840390921 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:49.999759912 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:49.999933004 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:50.093955040 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:50.156728983 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:50.231185913 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:50.231204033 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:50.324898958 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:50.387542963 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:51.749732018 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:51.981240988 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:53.140396118 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:53.140399933 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:53.234230995 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:53.297851086 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:53.371743917 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:53.371931076 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:53.465904951 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:53.528278112 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:54.890553951 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:55.124783039 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:55.466533899 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:55.562431097 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:55.578322887 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:55.593275070 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:55.702611923 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:55.796391010 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:55.949994087 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:55.955082893 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:56.294684887 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:56.342509985 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:56.478699923 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:17:56.593209982 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:58.609077930 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:58.702989101 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:58.718521118 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:58.840504885 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:17:58.934732914 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:17:58.949805021 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:17:59.421623945 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:59.609071970 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:17:59.668812990 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:17:59.840508938 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:01.734056950 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:01.827950954 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:01.844048977 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:01.965594053 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:01.987576008 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:01.987615108 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:01.987690926 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:01.990514994 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:01.990539074 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.059370041 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.074856997 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.245609999 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.245712996 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:02.247545958 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:02.247555971 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.247771025 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.300761938 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:02.348121881 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.519706964 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.519790888 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.519856930 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:02.520494938 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:02.520529032 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.520545006 CEST	49723	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:02.520553112 CEST	443	49723	34.117.186.192	192.168.2.5
May 2, 2024 06:18:02.546502113 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:02.670375109 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.702569962 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.719645977 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.749634027 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:02.781858921 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.796370983 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:02.796380997 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:02.797369957 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:02.810841084 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:02.905709028 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:02.954466105 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:03.093250990 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:05.812180996 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:05.843450069 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:05.859064102 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:05.937365055 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:06.043832064 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:06.075135946 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:06.090217113 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:06.093585968 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:06.168759108 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:06.325038910 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:07.798872948 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:07.798913956 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:07.798995018 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:07.799467087 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:07.799480915 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:07.985390902 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:07.985529900 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:07.987272978 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:07.987278938 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:07.987479925 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:07.990725040 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:08.032116890 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:08.247870922 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:08.247941971 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:08.248083115 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:08.248414040 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:08.248425961 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:08.248454094 CEST	49724	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:08.248459101 CEST	443	49724	104.26.5.15	192.168.2.5
May 2, 2024 06:18:08.952934027 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:08.953439951 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:08.968530893 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:08.984234095 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:09.184034109 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:09.184062004 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:09.184149981 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:09.199639082 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:09.215714931 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:09.218384981 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:09.421607971 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:09.449769974 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:10.920075893 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:10.951689959 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:10.966949940 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:10.999448061 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:11.003031015 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:11.029383898 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:11.171783924 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:11.202594042 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:11.202620983 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:11.359915972 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:11.360007048 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:11.390124083 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:14.062181950 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:14.093611002 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:14.093619108 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:14.187237978 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:14.293651104 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:14.312354088 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:14.324987888 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:14.325031996 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:14.418559074 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:14.543620110 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:15.938813925 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:15.969727993 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:15.983159065 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:15.999439955 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:16.062206030 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:16.108936071 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:16.108938932 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:16.186997890 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:16.328908920 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:16.483882904 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:19.077833891 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:19.093544006 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:19.108999014 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:19.202811956 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:19.309281111 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:19.324937105 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:19.340651035 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:19.434168100 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:19.452785015 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:19.684348106 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:20.877079964 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:20.877132893 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:20.877204895 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:20.878865004 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:20.878876925 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.133723021 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.133905888 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:21.135298967 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:21.135308981 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.135513067 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.179153919 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:21.224123001 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.424904108 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.425003052 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.425062895 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:21.425868988 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:21.425884962 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.425908089 CEST	49725	443	192.168.2.5	34.117.186.192
May 2, 2024 06:18:21.425913095 CEST	443	49725	34.117.186.192	192.168.2.5
May 2, 2024 06:18:21.428426981 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.428458929 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.428533077 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.428826094 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.428833961 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.612442017 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.612515926 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.614752054 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.614759922 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.615148067 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.617208958 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.660115004 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.868845940 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.868932962 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.869045973 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.869401932 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.869414091 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.869426012 CEST	49726	443	192.168.2.5	104.26.5.15
May 2, 2024 06:18:21.869431019 CEST	443	49726	104.26.5.15	192.168.2.5
May 2, 2024 06:18:21.869899988 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:22.106199026 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:22.218415976 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:22.234004021 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:22.249762058 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:22.327852964 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:22.449722052 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:22.465408087 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:22.481077909 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:22.559155941 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:22.578058958 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:22.809456110 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:25.359153032 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:25.374701977 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:25.374814034 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:25.468560934 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:25.590646982 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:25.606236935 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:25.606251955 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:25.699994087 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:25.702785015 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:25.934355021 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:28.484045029 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:28.499834061 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:28.501061916 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:28.593405008 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:28.715766907 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:28.732388020 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:28.732517004 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:28.826240063 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:28.827892065 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:29.059204102 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:31.624622107 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:31.640434980 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:31.640434027 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:31.734138966 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:31.856394053 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:31.871421099 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:31.871433973 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:31.965579033 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:31.968480110 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:32.199809074 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:34.685784101 CEST	58709	49705	147.45.47.93	192.168.2.5
May 2, 2024 06:18:34.720376968 CEST	58709	49706	147.45.47.93	192.168.2.5
May 2, 2024 06:18:34.733294010 CEST	58709	49707	147.45.47.93	192.168.2.5
May 2, 2024 06:18:34.796334982 CEST	49705	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:34.796427965 CEST	49707	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:34.798258066 CEST	58709	49716	147.45.47.93	192.168.2.5
May 2, 2024 06:18:34.866719007 CEST	49706	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:34.866796017 CEST	49716	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:35.093508959 CEST	49721	58709	192.168.2.5	147.45.47.93
May 2, 2024 06:18:35.324588060 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:35.497937918 CEST	58709	49721	147.45.47.93	192.168.2.5
May 2, 2024 06:18:35.686932087 CEST	49721	58709	192.168.2.5	147.45.47.93

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 06:16:19.787619114 CEST	56020	53	192.168.2.5	1.1.1.1
May 2, 2024 06:16:19.876621008 CEST	53	56020	1.1.1.1	192.168.2.5
May 2, 2024 06:16:20.556715965 CEST	64021	53	192.168.2.5	1.1.1.1
May 2, 2024 06:16:20.646522999 CEST	53	64021	1.1.1.1	192.168.2.5
May 2, 2024 06:18:01.889924049 CEST	49655	53	192.168.2.5	1.1.1.1
May 2, 2024 06:18:01.978928089 CEST	53	49655	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 2, 2024 06:16:19.787619114 CEST	192.168.2.5	1.1.1.1	0x3922	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:16:20.556715965 CEST	192.168.2.5	1.1.1.1	0x5129	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false
May 2, 2024 06:18:01.889924049 CEST	192.168.2.5	1.1.1.1	0x14a	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 2, 2024 06:16:19.876621008 CEST	1.1.1.1	192.168.2.5	0x3922	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
May 2, 2024 06:16:20.646522999 CEST	1.1.1.1	192.168.2.5	0x5129	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
May 2, 2024 06:16:20.646522999 CEST	1.1.1.1	192.168.2.5	0x5129	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
May 2, 2024 06:16:20.646522999 CEST	1.1.1.1	192.168.2.5	0x5129	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
May 2, 2024 06:18:01.978928089 CEST	1.1.1.1	192.168.2.5	0x14a	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	34.117.186.192	443	5080	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:16:20 UTC	239	OUT	GET /widget/demo/191.96.150.225 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-02 04:16:20 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 02 May 2024 04:16:20 GMT content-type: application/json; charset=utf-8 Content-Length: 921 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:16:20 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e Data Ascii: { "input": "191.96.150.225", "data": { "ip": "191.96.150.225", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS174 Cogent Communications", "postal": "10001", "timezon
2024-05-02 04:16:20 UTC	179	IN	Data Raw: 22 3a 20 22 50 72 69 76 61 74 65 20 52 65 73 69 64 65 6e 63 65 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 72 69 76 61 74 65 20 43 75 73 74 6f 6d 65 72 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: ": "Private Residence", "country": "US", "email": "abuse@ipxo.com", "name": "Private Customer", "network": "191.96.150.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49709	104.26.5.15	443	5080	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:16:20 UTC	263	OUT	GET /demo/home.php?s=191.96.150.225 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-02 04:16:21 UTC	654	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:16:21 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9B21:2D18_93878F2E:0050_66331395_B1CD1D2:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qf2P1lSGiyEN%2BxqaT6HpWp7dnc0anghDxfp7knAsDo3kKHr91ttTREOdRwFghiasiy5ewvfpJoxlfNbDZolnDmuv3mRE0DUEX%2FLMdAyxj%2FEJxXFRVnY4bu1Gag%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d532035be94356-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 04:16:21 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-02 04:16:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49710	34.117.186.192	443	6552	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:16:25 UTC	239	OUT	GET /widget/demo/191.96.150.225 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-02 04:16:25 UTC	515	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 02 May 2024 04:16:25 GMT content-type: application/json; charset=utf-8 Content-Length: 921 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 273 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:16:25 UTC	740	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e Data Ascii: { "input": "191.96.150.225", "data": { "ip": "191.96.150.225", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS174 Cogent Communications", "postal": "10001", "timezon
2024-05-02 04:16:25 UTC	181	IN	Data Raw: 73 73 22 3a 20 22 50 72 69 76 61 74 65 20 52 65 73 69 64 65 6e 63 65 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 72 69 76 61 74 65 20 43 75 73 74 6f 6d 65 72 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: ss": "Private Residence", "country": "US", "email": "abuse@ipxo.com", "name": "Private Customer", "network": "191.96.150.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49711	34.117.186.192	443	1440	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:16:25 UTC	239	OUT	GET /widget/demo/191.96.150.225 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-02 04:16:25 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 02 May 2024 04:16:25 GMT content-type: application/json; charset=utf-8 Content-Length: 921 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:16:25 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e Data Ascii: { "input": "191.96.150.225", "data": { "ip": "191.96.150.225", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS174 Cogent Communications", "postal": "10001", "timezon
2024-05-02 04:16:25 UTC	179	IN	Data Raw: 22 3a 20 22 50 72 69 76 61 74 65 20 52 65 73 69 64 65 6e 63 65 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 72 69 76 61 74 65 20 43 75 73 74 6f 6d 65 72 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: ": "Private Residence", "country": "US", "email": "abuse@ipxo.com", "name": "Private Customer", "network": "191.96.150.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49712	104.26.5.15	443	1440	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:16:25 UTC	263	OUT	GET /demo/home.php?s=191.96.150.225 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-02 04:16:25 UTC	650	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:16:25 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46E6C4:A556_93878F2E:0050_66331399_B1CD272:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tPqLokzyzjuRJWX30DHMwX5w1yZpK2TN81vBW0KtJ9o3q5l9WcHBkxKdz7ieE4PpkgiPKIYHu2gVugT58H62PPLmEXBpR7QtnpSD%2BEjTY7K6MmlasEx72PsQ2Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d53221392c7c93-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 04:16:25 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-02 04:16:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49713	104.26.5.15	443	6552	C:\ProgramData\MPGPH131\MPGPH131.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:16:25 UTC	263	OUT	GET /demo/home.php?s=191.96.150.225 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-02 04:16:26 UTC	658	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:16:26 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466E2B:2BD4_93878F2E:0050_6633139A_B1F9D6D:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BMItdTY%2F24xdvXBBzlqq1s2u328sJZYWM31eHI7WAE0mzC%2FMv%2BI5NWkcRGxEdcYK4SkqiRkHtLouBkISvcJUTEcMEFaYpEnL6WYEWEulW6VApftslYZ6h7yT%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d532229a9e1861-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 04:16:26 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-02 04:16:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49723	34.117.186.192	443	2724	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:18:02 UTC	239	OUT	GET /widget/demo/191.96.150.225 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-02 04:18:02 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 02 May 2024 04:18:02 GMT content-type: application/json; charset=utf-8 Content-Length: 921 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:18:02 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e Data Ascii: { "input": "191.96.150.225", "data": { "ip": "191.96.150.225", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS174 Cogent Communications", "postal": "10001", "timezon
2024-05-02 04:18:02 UTC	179	IN	Data Raw: 22 3a 20 22 50 72 69 76 61 74 65 20 52 65 73 69 64 65 6e 63 65 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 72 69 76 61 74 65 20 43 75 73 74 6f 6d 65 72 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: ": "Private Residence", "country": "US", "email": "abuse@ipxo.com", "name": "Private Customer", "network": "191.96.150.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49724	104.26.5.15	443	2724	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:18:07 UTC	263	OUT	GET /demo/home.php?s=191.96.150.225 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-02 04:18:08 UTC	662	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:18:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46E6C8:7114_93878F2E:0050_66331400_B1CDDFD:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w9Ac%2B98JsvT6n0wDRlp0mFsG%2B%2FpcB%2B6l9l5rlq4AQk5Tddy9%2BcXUUnTjDM0etGdLfwqz%2BrPpsLvDwa5PxCYawF1%2Br9lqSp2M1BuXaA215dbKfGVz0ESfwQJ0Gw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d534a0f9f58c81-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 04:18:08 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-02 04:18:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.5	49725	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:18:21 UTC	239	OUT	GET /widget/demo/191.96.150.225 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-02 04:18:21 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Thu, 02 May 2024 04:18:21 GMT content-type: application/json; charset=utf-8 Content-Length: 921 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:18:21 UTC	742	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 32 32 35 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e Data Ascii: { "input": "191.96.150.225", "data": { "ip": "191.96.150.225", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS174 Cogent Communications", "postal": "10001", "timezon
2024-05-02 04:18:21 UTC	179	IN	Data Raw: 22 3a 20 22 50 72 69 76 61 74 65 20 52 65 73 69 64 65 6e 63 65 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 72 69 76 61 74 65 20 43 75 73 74 6f 6d 65 72 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 39 31 2e 39 36 2e 31 35 30 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: ": "Private Residence", "country": "US", "email": "abuse@ipxo.com", "name": "Private Customer", "network": "191.96.150.0/24", "phone": "" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.5	49726	104.26.5.15	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:18:21 UTC	263	OUT	GET /demo/home.php?s=191.96.150.225 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-02 04:18:21 UTC	654	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:18:21 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC46739D:3190_93878F2E:0050_6633140D_B1FA9D9:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xjxMyBm8bo7eZbQ0INXCdh6075HBo8rrjaoPaff5PJ4wEjlF0NYPLwpRngXkRBHsDPjeOmIw7y%2F0p73OMuy3BuC%2FZ%2Fjaxa3mWmyJ5w7RsBDMnoVZ0owhNZOk4w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87d534f62eb77286-EWR alt-svc: h3=":443"; ma=86400
2024-05-02 04:18:21 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-02 04:18:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:16:05
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe"
Imagebase:	0x60000
File size:	3'219'456 bytes
MD5 hash:	6BF87E7F53315E6A41DE8E99B6702341
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	06:16:09
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:16:09
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:16:09
Start date:	02/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xf0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:16:09
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:16:11
Start date:	02/05/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xed0000
File size:	3'219'456 bytes
MD5 hash:	6BF87E7F53315E6A41DE8E99B6702341
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 50%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	06:16:11
Start date:	02/05/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xed0000
File size:	3'219'456 bytes
MD5 hash:	6BF87E7F53315E6A41DE8E99B6702341
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:16:20
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x7d0000
File size:	3'219'456 bytes
MD5 hash:	6BF87E7F53315E6A41DE8E99B6702341
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Avira Detection: 50%, ReversingLabs Detection: 51%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	06:16:28
Start date:	02/05/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x7d0000
File size:	3'219'456 bytes
MD5 hash:	6BF87E7F53315E6A41DE8E99B6702341
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	52.3%
Total number of Nodes:	1004
Total number of Limit Nodes:	9

Executed Functions

Function 00125940 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0012596A
getaddrinfo.WS2_32(?,?,?,001E6328), ref: 001259EC
socket.WS2_32(?,?,?), ref: 00125A0D
connect.WS2_32(00000000,001B6B31,?), ref: 00125A21
closesocket.WS2_32(00000000), ref: 00125A2D
FreeAddrInfoW.WS2_32(?), ref: 00125A3A
WSACleanup.WS2_32 ref: 00125A40
FreeAddrInfoW.WS2_32(?), ref: 00125A55

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: e070ed87ede8f5f52c74d3753f47ac9619cc9d983d2924b2b14d8a18ea4c8119
Instruction ID: 368e2e510650450eea4b220262cca0d0300e756aa1d3dd6cf415d4431c5f2a20
Opcode Fuzzy Hash: e070ed87ede8f5f52c74d3753f47ac9619cc9d983d2924b2b14d8a18ea4c8119
Instruction Fuzzy Hash: B531A1325047109BD7209F68EC89B6ABBE6FF84734F544B1DF9A5935F0D33098548B92

Uniqueness

Uniqueness Score: -1.00%

Function 00124EB0 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003FC,0000FFFF,00001006,?,00000008), ref: 00124F56
recv.WS2_32(?,00000004,00000002), ref: 00124F71
WSAGetLastError.WS2_32 ref: 00124F75
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00124FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00125014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 001250B0
recv.WS2_32(00000000,?,00000008), ref: 001250CB

Part of subcall function 00125940: WSAStartup.WS2_32 ref: 0012596A
Part of subcall function 00125940: getaddrinfo.WS2_32(?,?,?,001E6328), ref: 001259EC
Part of subcall function 00125940: socket.WS2_32(?,?,?), ref: 00125A0D
Part of subcall function 00125940: connect.WS2_32(00000000,001B6B31,?), ref: 00125A21
Part of subcall function 00125940: closesocket.WS2_32(00000000), ref: 00125A2D
Part of subcall function 00125940: FreeAddrInfoW.WS2_32(?), ref: 00125A3A
Part of subcall function 00125940: WSACleanup.WS2_32 ref: 00125A40

recv.WS2_32(?,00000004,00000008), ref: 001251D3
__Xtime_get_ticks.LIBCPMT ref: 001251DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001251E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00125261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00125269

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID:
API String ID: 3089209366-0
Opcode ID: 3e9dd5d8e396fb87fd36f4a6f42390e6f0eed841e82b3213117c4d99029bb963
Instruction ID: 581380d956ce076616978c96dc8814aaf962ec9f92be08e007c6ad1d30f99682
Opcode Fuzzy Hash: 3e9dd5d8e396fb87fd36f4a6f42390e6f0eed841e82b3213117c4d99029bb963
Instruction Fuzzy Hash: 93B1C9B1D00358DFEB14DFA8DC89BADBBB6BB55300F604218E454AF6E2D7B05994CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00069280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,001AA4DC,00000000,76A923A0,-001E6880), ref: 000696A6
GetProcAddress.KERNEL32(00000000,?), ref: 000696B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,001AA4DC,00000000,76A923A0,-001E6880), ref: 000696C9

Strings

4oST, xrefs: 0006962C
4oST, xrefs: 00069660
Ws2_32.dll, xrefs: 0006969A

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 2819740048-1839276265
Opcode ID: d4a74c9092c48154d8cdfac6e8b4422fced103b583d3d99ca7a330e446b55fd1
Instruction ID: 7b0b1ef7989d8ba7cd3810a856982811d32c5617f1a1dd9aae788fa4370f39c7
Opcode Fuzzy Hash: d4a74c9092c48154d8cdfac6e8b4422fced103b583d3d99ca7a330e446b55fd1
Instruction Fuzzy Hash: E402E070D04298DFCF25CF94C890BEDBBB5EF55310F244289E4456BA86D7701A86CB92

Uniqueness

Uniqueness Score: -1.00%

Function 000A8900 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d83a4e116ad9e24a3b102875af8e3342863e04a2e4cec53a187a53492161e82f
Instruction ID: f8f85c89dbf2621f7e48dc475f9c3abf09e391fb258ce50fb0d3e0b6e5ddb055
Opcode Fuzzy Hash: d83a4e116ad9e24a3b102875af8e3342863e04a2e4cec53a187a53492161e82f
Instruction Fuzzy Hash: C5B1E5B4A14249AFDB11DFD8C881BEEBBF5BF4A314F188158E5059B292CB709981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001252A0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4oST, xrefs: 001255B5
4oST, xrefs: 00125451
4oST, xrefs: 0012552A
191.96.150.225, xrefs: 00125328

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 191.96.150.225$4oST$4oST$4oST
API String ID: 0-2793144940
Opcode ID: 08a59304f20bf11f4946ea74479f4278c0929372990e10ed4f86ed37f06c826c
Instruction ID: f57389981bf469a10c5cc4211d551b9f67e69da284de27a4ad4f8bfc8de5ff59
Opcode Fuzzy Hash: 08a59304f20bf11f4946ea74479f4278c0929372990e10ed4f86ed37f06c826c
Instruction Fuzzy Hash: 17021D70D04298DFEB14DFA8C9857DDBBB1AF14304F548099E8097B283D7B55E88DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00144050 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(?), ref: 001440AC
GetLastError.KERNEL32 ref: 001440B7
std::_Throw_Cpp_error.LIBCPMT ref: 001440FF
std::_Throw_Cpp_error.LIBCPMT ref: 00144110

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$AttributesErrorFileLast
String ID:
API String ID: 995686243-0
Opcode ID: ce7c7bfc88954c145ef68910b315f8e58a6c4741385c39ad55118987ec147d32
Instruction ID: b9c315fddb9d46bb1fd879f31552fa774713082885ecfdf675c4deb38ae2e83d
Opcode Fuzzy Hash: ce7c7bfc88954c145ef68910b315f8e58a6c4741385c39ad55118987ec147d32
Instruction Fuzzy Hash: EA11BAB0500680AFCF245F289C093ED37649B12B70F640324F6359BAE1DB3288A98652

Uniqueness

Uniqueness Score: -1.00%

Function 000A9779 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000A8E8F: GetConsoleOutputCP.KERNEL32(21FC8FDF,00000000,00000000,?), ref: 000A8EF2

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A98FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 000A9908

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 549404e0783ac4e05719f7f7fda890daac3ebf7fa16c024dfa3f6ee8607b2211
Instruction ID: c4f8331a4559bb2f01de87c7aeb0775c73b16d80dd8ccfb02072b95e3bd35d3d
Opcode Fuzzy Hash: 549404e0783ac4e05719f7f7fda890daac3ebf7fa16c024dfa3f6ee8607b2211
Instruction Fuzzy Hash: B6618071E04119BFDF11DFE8C884AEEBBF9AF4A308F140159E904A7256D736D941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000A8DEF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,000A8CD6,00000000,?,001D7178,0000000C,000A8D92,?,?,?), ref: 000A8E45
GetLastError.KERNEL32(?,000A8CD6,00000000,?,001D7178,0000000C,000A8D92,?,?,?), ref: 000A8E4F

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 30e2a0ff14fc9e24edc88749b9f4854f42612ddc83773e6333062a7ce01fef6b
Instruction ID: 25e39e3d6dd5999d726bdbe81111cf82c82bd7cd98795e78149c3fe2bad2f15f
Opcode Fuzzy Hash: 30e2a0ff14fc9e24edc88749b9f4854f42612ddc83773e6333062a7ce01fef6b
Instruction Fuzzy Hash: C9114C32604250A6C665A2F49D49BFE27DD8B83734F294609F918DB1C3DF709CC08390

Uniqueness

Uniqueness Score: -1.00%

Function 000A250C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,000A2616,?,?,?,?,?), ref: 000A2548
GetLastError.KERNEL32(?,?,?,?,000A2616,?,?,?,?,?,00000000,?,00000000), ref: 000A2555

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 5fdbf12fdd23a9b803ea2dea7b9a765518c752e892a236cf0e5d87368ac42ff6
Instruction ID: 10d54a2a6ed6b22d1f6f76226cc16a4a8f82619a94519143266f19f2ca447921
Opcode Fuzzy Hash: 5fdbf12fdd23a9b803ea2dea7b9a765518c752e892a236cf0e5d87368ac42ff6
Instruction Fuzzy Hash: F1012633A14655AFCF09CFA8DC1589E3B69EF86320F640218F801DB291E671ED818B90

Uniqueness

Uniqueness Score: -1.00%

Function 000AB00C Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,000B1B36,?,00000000,?,?,000B1DD7,?,00000007,?,?,000B22CB,?,?), ref: 000AB022
GetLastError.KERNEL32(?,?,000B1B36,?,00000000,?,?,000B1DD7,?,00000007,?,?,000B22CB,?,?), ref: 000AB02D

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 95e66d7676d614e75f11abc5e9aa3ebd71af969b8d742cee19a7d6b4a01dc807
Instruction ID: 6270f9ca046847f815df709903dd0775237d479b0dec569e29e70100750b1b56
Opcode Fuzzy Hash: 95e66d7676d614e75f11abc5e9aa3ebd71af969b8d742cee19a7d6b4a01dc807
Instruction Fuzzy Hash: 28E0C232100214ABCB213FF4EC09BCE3B99AF01395F444060F70DDB462DB388890C784

Uniqueness

Uniqueness Score: -1.00%

Function 00098DF2 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551d96903b21bd7a6fd3a80ff7de6a75cbbd39a9594514dfde71e2aac60443a7
Instruction ID: e67e475febdab31459d591b8d5b16d38c4430dd7be8e40a930ef5d12e123d51f
Opcode Fuzzy Hash: 551d96903b21bd7a6fd3a80ff7de6a75cbbd39a9594514dfde71e2aac60443a7
Instruction Fuzzy Hash: A851A371A00204AFDF14CF58C895AAE7BF6EB4A314F28D169F8099B352D731DE41EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00089E20 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00089F7B

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 51120e908a1a3a6ce0e714f3c66e6a8a6327792f1c2089bdcb1c738ab8da5ee2
Instruction ID: f51a9c45899195070633e9456e35955c60d1d65a076a02adaf93b29f34696453
Opcode Fuzzy Hash: 51120e908a1a3a6ce0e714f3c66e6a8a6327792f1c2089bdcb1c738ab8da5ee2
Instruction Fuzzy Hash: 2D41B271A001159FCB14EF68C9459BEBBF9FB89350F28422AE855E7386D770DE018BE0

Uniqueness

Uniqueness Score: -1.00%

Function 000632D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0006331F

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: d006d200d0c83988e018bf6d044ce3067b6f1a4cf7915d440358aaa6152cb69b
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: 3EF0B4721001149BCF186F64D4168EAB3E9EF143A5710497AE88DD7313EB26DB4097D0

Uniqueness

Uniqueness Score: -1.00%

Function 000AB086 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 000AB0B8

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b1486e9d3af0c4ecbb2653e8ca9cc9726540b61e7b908fc618df3012709508e6
Instruction ID: 23b077ea1f1f87aebc1476bf2660930e58585eac2374758f81db05f19f15a4c1
Opcode Fuzzy Hash: b1486e9d3af0c4ecbb2653e8ca9cc9726540b61e7b908fc618df3012709508e6
Instruction Fuzzy Hash: 32E06D312016206BEA712BF59C00FAF3A89AF433E0F150221FD65E70D3DB20CC4082E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 000F1680 Relevance: 462.5, APIs: 37, Strings: 220, Instructions: 12751filestringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 000F18A9
RegQueryValueExA.ADVAPI32(?,00000000,00000000,00000000,00000000,4843FA0B,?,?,?,?,?,?,?,00000000), ref: 000F18CC
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,00000000), ref: 000F18D7
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000F1AC7

Part of subcall function 00144050: GetFileAttributesA.KERNELBASE(?), ref: 001440AC
Part of subcall function 00144050: GetLastError.KERNEL32 ref: 001440B7

FindFirstFileA.KERNEL32(?,?), ref: 000F207F
FindNextFileA.KERNEL32(00000000,?), ref: 000F248C
FindClose.KERNEL32(00000000), ref: 000F249C
CreateDirectoryA.KERNEL32(?,00000000), ref: 000F2573
CreateDirectoryA.KERNEL32(?,00000000), ref: 000F2639
CopyFileA.KERNEL32(00000000,00000000,00000000), ref: 000F27BD

Part of subcall function 00144050: std::_Throw_Cpp_error.LIBCPMT ref: 001440FF
Part of subcall function 00144050: std::_Throw_Cpp_error.LIBCPMT ref: 00144110

CreateDirectoryA.KERNEL32(?,00000000), ref: 000F2964
CopyFileA.KERNEL32(00000000,?,00000000), ref: 000F2C18
CopyFileA.KERNEL32(?,00000000,00000000), ref: 000F3158
CredEnumerateA.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?), ref: 000F351D

Part of subcall function 000951EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00091CF9,?,001D69D8,76A923A0,?,76A923A0,-001E6880), ref: 0009524B

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 000F4024
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 000F4122
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 000F4315
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F5B98
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000F606F
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 000F6324
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 000F6422
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 000F6618
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000F8931
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,?,?), ref: 000F8C78
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 000F8D85
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 000F8F78
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000FAD4D
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000FB014
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 000FB112
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 000FB305
lstrlen.KERNEL32(?), ref: 000FCA52
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 000FCD44
GetPrivateProfileSectionNamesA.KERNEL32(?,00001000,?), ref: 000FCE42
GetPrivateProfileStringA.KERNEL32(?,?,00000000,?,00000104,?), ref: 000FD035
CreateDirectoryA.KERNEL32(?,00000000), ref: 000FF796
CreateDirectoryA.KERNEL32(?,00000000), ref: 000FFA7D
lstrlen.KERNEL32(?), ref: 00100FAE

Strings

4oST, xrefs: 000FF4C8
9lX, xrefs: 000F95A0
gUb, xrefs: 000F296A
4oST, xrefs: 00100B48
4oST, xrefs: 000FF12A
4oST, xrefs: 000FE61F
4oST, xrefs: 000F917C
4oST, xrefs: 000F30B2
9lX, xrefs: 000F4950
4oST, xrefs: 00100654
4oST, xrefs: 00100943
4oST, xrefs: 000FC2FE
g[`, xrefs: 000FB943
4oST, xrefs: 00100B94
k@z, xrefs: 000F4239
4oST, xrefs: 000F6568
4oST, xrefs: 000FB14D
4oST, xrefs: 000FBB18
^W`, xrefs: 000FF1AC
HWg, xrefs: 000F7E1A
4oST, xrefs: 00100E83
4oST, xrefs: 00100830
4oST, xrefs: 000FF03B
4oST, xrefs: 000FDC9A
4oST, xrefs: 000FC5D9
4oST, xrefs: 000FCF85
4oST, xrefs: 00100C5F
4oST, xrefs: 000FA80F
VoST, xrefs: 00100E31
4oST, xrefs: 000F8593
k@z, xrefs: 000FB229
k,6&, xrefs: 000FF6AA
4oST, xrefs: 000FE05E
4oST, xrefs: 000F29D6
4oST, xrefs: 000FC7F6
SGf, xrefs: 000FEC3E
x<, xrefs: 000F7210
x<, xrefs: 000FD7CE
4oST, xrefs: 000F28B0
4oST, xrefs: 000FE262
gQ`, xrefs: 001008BF
WS{, xrefs: 000FF54A
4oST, xrefs: 001002F2
4oST, xrefs: 000FD68A
4oST, xrefs: 000FDC4E
x<, xrefs: 000F9B70
cannot use operator[] with a string argument with , xrefs: 000F3E34, 000F3E8E, 000F60DE, 000F6190, 000F89A3, 000F8A39, 000FADBC, 000FAE73, 000FCABD, 000FCAFB, 000FCBAD, 00101091, 001010E6
4oST, xrefs: 000FFEC5
4oST, xrefs: 000FCE7D
#iR@, xrefs: 000FD7C4
]Xw, xrefs: 000FA2D7
4oST, xrefs: 000FBB70
4oST, xrefs: 000FEB9A
KGa, xrefs: 000FE032
WS{, xrefs: 000FDE5D
4oST, xrefs: 000FF972
4oST, xrefs: 000FC58D
4oST, xrefs: 000FB255
4oST, xrefs: 000FD2FA
4oST, xrefs: 000F8547
4oST, xrefs: 000FC011
4oST, xrefs: 000F2AAA
4oST, xrefs: 000FCDC3
4oST, xrefs: 000FDED5
4oST, xrefs: 000FC09C
WS{, xrefs: 000FE1EA
4oST, xrefs: 000FF8A7
4oST, xrefs: 000F64B2
4oST, xrefs: 000FEBE6
4oST, xrefs: 000FEFE9
4oST, xrefs: 000F8151
4oST, xrefs: 000FB19F
#iR@, xrefs: 000F5060
VoST, xrefs: 00100A4E
4oST, xrefs: 000FF85B
UYw, xrefs: 000FC2D2
VoST, xrefs: 001008F1
4oST, xrefs: 000FFCCD
4oST, xrefs: 000FD3E5
4oST, xrefs: 00100D70
4oST, xrefs: 000FFE73
4oST, xrefs: 000FB383
*ct, xrefs: 000FE9D6
4oST, xrefs: 000FEB03
4oST, xrefs: 000FB2A8
4oST, xrefs: 000FB337
4oST, xrefs: 000FC0EE
4oST, xrefs: 000FED58
4oST, xrefs: 000FCECF
4oST, xrefs: 000FB7A8
4oST, xrefs: 000FB50C
gQ`, xrefs: 001006A1
4oST, xrefs: 000FFD8D
4oST, xrefs: 000FF5C2
4oST, xrefs: 000FF476
gQ`, xrefs: 00100DFF
x<, xrefs: 000F506A
P?2', xrefs: 000FF1D8
4oST, xrefs: 000F8FAA
4oST, xrefs: 00100116
4oST, xrefs: 000FFC7B
4oST, xrefs: 000FA7C3
k@z, xrefs: 000FCF59
4oST, xrefs: 000FFC02
4oST, xrefs: 000FBDF4
gQk, xrefs: 00100163
4oST, xrefs: 000F6D40
4oST, xrefs: 000FFDDF
4oST, xrefs: 000FD2A8
KGa, xrefs: 000FF44A
4oST, xrefs: 000FDA28
4oST, xrefs: 000FE938
4oST, xrefs: 000F9CAB
4oST, xrefs: 000F275D
4oST, xrefs: 000F91C8
MXg, xrefs: 000FC561
]?0, xrefs: 000FBCF8
4oST, xrefs: 000FD0B3
4oST, xrefs: 001003B1
4oST, xrefs: 0010018F
4oST, xrefs: 000FEC6F
gQk, xrefs: 0010037F
4oST, xrefs: 000F299C
gQk, xrefs: 000FFA87
4oST, xrefs: 000FECC1
v}{, xrefs: 000F511A
cannot use push_back() with , xrefs: 000F5F2C, 000F612E, 000F8851, 000F89DA, 000FAC0A, 000FAE0C, 000FC996, 000FCB4B, 00101038
WS{, xrefs: 000FF0AC
4oST, xrefs: 000F41AF
4oST, xrefs: 001000CA
9lX, xrefs: 000F4940
PM!, xrefs: 000FFD5E
4oST, xrefs: 000FE85C
4oST, xrefs: 000F6460
4oST, xrefs: 000F93BC
VoST, xrefs: 001006CD
nI?/, xrefs: 000F7054
4oST, xrefs: 000F285E
4oST, xrefs: 000F5E6E
4oST, xrefs: 000FDE89
4oST, xrefs: 001001E1
4oST, xrefs: 000FF38D
_Ys, xrefs: 000F739F
4oST, xrefs: 000FD9DC
v}{&I, xrefs: 000F5136
4oST, xrefs: 000FA556
4oST, xrefs: 00100403
P: 1, xrefs: 000FEE3A
4oST, xrefs: 000FA5A2
*ct, xrefs: 000FEABB
4oST, xrefs: 000FEA1E
4oST, xrefs: 000F96F2
4oST, xrefs: 000FFABC
4oST, xrefs: 000F38F0
VoST, xrefs: 0010050E
4oST, xrefs: 000FFB0E
^W`, xrefs: 000FEE0E
gQk, xrefs: 000FFE41
4oST, xrefs: 000FBA19
WS{, xrefs: 000FE5A1
*ct, xrefs: 000FE8F6
4oST, xrefs: 000FD21C
4oST, xrefs: 000FF0D8
4oST, xrefs: 000FE6AD
4oST, xrefs: 000FC34A
4oST, xrefs: 00100560
3gX, xrefs: 000FD1A8
4oST, xrefs: 000FB558
4oST, xrefs: 000FCFD8
4oST, xrefs: 000FFFD0
4oST, xrefs: 000FF920
gQ`, xrefs: 001004D9
WS{, xrefs: 000FE681
4oST, xrefs: 000F87E5
4oST, xrefs: 000FB75C
4oST, xrefs: 000FF27C
4oST, xrefs: 000F20CA
XFf, xrefs: 001007B0
gQk, xrefs: 000FFC4F
WS{, xrefs: 000F39AE
4oST, xrefs: 00100022
4oST, xrefs: 001002A6
4oST, xrefs: 00100AA0
4oST, xrefs: 000F2150
g[u, xrefs: 000FD198
4oST, xrefs: 000FBFBF
gQ`, xrefs: 00100BE1
4oST, xrefs: 000F8793
gQ`, xrefs: 00100A19
4oST, xrefs: 000FE216
4oST, xrefs: 000FE80A
4oST, xrefs: 000F6696
4oST, xrefs: 000FE0AA
4oST, xrefs: 000FFBB6
k@z, xrefs: 000F8E9C
4oST, xrefs: 000FF576
4oST, xrefs: 000F389E
4oST, xrefs: 000FF3D9
4oST, xrefs: 000F59A7
4oST, xrefs: 000FC842
4oST, xrefs: 000F8F1B
XFf, xrefs: 00100CF0
4oST, xrefs: 000F9408
4oST, xrefs: 000F3CC3
4oST, xrefs: 0010071F
4oST, xrefs: 000FE5CD
4oST, xrefs: 000FA303
4oST, xrefs: 000F83A5
4oST, xrefs: 000FEDA4
4oST, xrefs: 000F8EC8
4oST, xrefs: 001007E4
4oST, xrefs: 000FF6FC
4oST, xrefs: 000FE6FF
VoST, xrefs: 00100C0D
4oST, xrefs: 00100D24
gQk, xrefs: 000FFF9B
4oST, xrefs: 000FD067
PM&, xrefs: 00100272
4oST, xrefs: 00100608
4oST, xrefs: 000FEEDE

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfile$FileFolderPath$CreateDirectoryNamesSectionStringlstrlen$CopyFind$CloseCpp_errorThrow_std::_$AttributesCredEnumerateErrorExceptionFirstLastNextOpenQueryRaiseUnothrow_t@std@@@Value__ehfuncinfo$??2@
String ID: #iR@$#iR@$3gX$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$9lX$9lX$9lX$HWg$KGa$KGa$MXg$P: 1$P?2'$PM!$PM&$SGf$UYw$VoST$VoST$VoST$VoST$VoST$VoST$WS{$WS{$WS{$WS{$WS{$WS{$WS{$XFf$XFf$]?0$]Xw$^W`$^W`$_Ys$cannot use operator[] with a string argument with $cannot use push_back() with $gQ`$gQ`$gQ`$gQ`$gQ`$gQ`$gQk$gQk$gQk$gQk$gQk$gQk$gUb$g[`$g[u$k,6&$k@z$k@z$k@z$k@z$nI?/$v}{$v}{&I$*ct$*ct$*ct$x<$x<$x<$x<
API String ID: 4212196321-1071398278
Opcode ID: 88d719eb6a8c1aca01b238ae4d9b08ea7cf745aa8857a47fadaae691bbd131a8
Instruction ID: 7c5182a5ee299c960b03ad38f74fb7d0731dff39f945b7bddff2293c3a68545f
Opcode Fuzzy Hash: 88d719eb6a8c1aca01b238ae4d9b08ea7cf745aa8857a47fadaae691bbd131a8
Instruction Fuzzy Hash: AF740FB4D052A88FDB65CF28C890BEDBBB1AF49304F1081D9E94DA7242DB346B85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00144B90 Relevance: 36.5, APIs: 5, Strings: 15, Instructions: 1467processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00144CF2
Process32First.KERNEL32(00000000,?), ref: 00144D02
Process32Next.KERNEL32(00000000,?), ref: 00144D1F
Process32Next.KERNEL32(00000000,?), ref: 00144FB6
CloseHandle.KERNEL32(00000000), ref: 00144FC2

Strings

4oST, xrefs: 00144D50
4oST, xrefs: 00145F77
4oST, xrefs: 00145EDE
4oST, xrefs: 00146053
4oST, xrefs: 00144EDA
4oST, xrefs: 00145FAB
4oST, xrefs: 0014535F
exists, xrefs: 00146364, 00146458
4oST, xrefs: 00146087
4oST, xrefs: 00144E27
4oST, xrefs: 00144DA2
4oST, xrefs: 00145E92
4oST, xrefs: 00144E61
4oST, xrefs: 00145058
4oST, xrefs: 00145313

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Process32$Next$CloseCreateFirstHandleSnapshotToolhelp32
String ID: 4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$exists
API String ID: 2284531361-891485653
Opcode ID: ea5596406a15bcc520db35eb70e64e3b2036a4ebf2154c7b9378538f0aea975a
Instruction ID: ca769912490f0857f7b20e9c8425466cc8e416c55a9779443a5ae7a390093ae0
Opcode Fuzzy Hash: ea5596406a15bcc520db35eb70e64e3b2036a4ebf2154c7b9378538f0aea975a
Instruction Fuzzy Hash: E6F246B0C056688FDB25CF68C894BEDBBB1BF49314F2482D9D8496B252DB305E86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00143B20 Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 350COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00143F97
std::_Throw_Cpp_error.LIBCPMT ref: 00143FA8
CreateDirectoryA.KERNEL32(?,00000000), ref: 00144005
std::_Throw_Cpp_error.LIBCPMT ref: 00144034
std::_Throw_Cpp_error.LIBCPMT ref: 00144045

Strings

\*.*, xrefs: 00143BE4

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CreateDirectory
String ID: \*.*
API String ID: 2715195259-1173974218
Opcode ID: 1e89874eb57563e2bda2a9c1ef6d00b69d29957ef978c63c64bc4e0e065db248
Instruction ID: 386797a1d3a5abe5705ff10fdab6168741f77c81d5c71810b35d5bcf4a0c8381
Opcode Fuzzy Hash: 1e89874eb57563e2bda2a9c1ef6d00b69d29957ef978c63c64bc4e0e065db248
Instruction Fuzzy Hash: F6E1F270D01249DFDB10DFA8C9487EDBBB5EF15314F208259E424BB2A2DB705A89DB62

Uniqueness

Uniqueness Score: -1.00%

Function 000F0BA0 Relevance: 23.3, APIs: 5, Strings: 8, Instructions: 533fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 000F0BED
GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000), ref: 000F0C01
ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,?,?,00000000), ref: 000F0C38
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 000F0C43
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 000F0C65

Strings

4oST, xrefs: 000F104D
4oST, xrefs: 000F0F8F
4oST, xrefs: 000F119F
4oST, xrefs: 000F0E8D
4oST, xrefs: 000F1099
zW}, xrefs: 000F0E15
kGa, xrefs: 000F101B
4oST, xrefs: 000F0E41

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseHandle$CreateReadSize
String ID: 4oST$4oST$4oST$4oST$4oST$4oST$kGa$zW}
API String ID: 3664964396-4071347269
Opcode ID: 23256c7691bdee4d55130813fe3b4b668a9da716748793a96a9c9d0162eb9d7b
Instruction ID: 99a28b56cbf0edd920a2be6e6f502169fbe38dfa4175f3f464e8bbdb2c530a04
Opcode Fuzzy Hash: 23256c7691bdee4d55130813fe3b4b668a9da716748793a96a9c9d0162eb9d7b
Instruction Fuzzy Hash: 76325670D04268DFDB25CFA4CC90BEDBBB1BF49300F148299E959A7682DB306A85DF51

Uniqueness

Uniqueness Score: -1.00%

Function 0012C630 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 0012C6A1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 0012C6BD
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0012C6F2
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 0012C71B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 0012C8BF
WriteProcessMemory.KERNEL32(?,00000218,0012C990,-00000010,00000000), ref: 0012C8E1
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 0012C8F4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0012C8FD

Strings

4oST, xrefs: 0012C7D2
131, xrefs: 0012C883, 0012C893
%s|%s, xrefs: 0012C89F

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131$4oST
API String ID: 2137838514-1634972829
Opcode ID: ada0ce892b066d32bca4b4c9f8b226209b508d61afcbd136e0582eebfd57b360
Instruction ID: afef3d220b7e7d7e670dc6cbf9eb0778d2d596e0198e3ac38105116febf30d76
Opcode Fuzzy Hash: ada0ce892b066d32bca4b4c9f8b226209b508d61afcbd136e0582eebfd57b360
Instruction Fuzzy Hash: 91B16AB1D00208DFDB14CFA8CC85BEEBBB0FF48310F504259E509AB291D775AA81CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00101E40 Relevance: 18.6, Strings: 14, Instructions: 1124COMMON

Download Yara Rule

Strings

cannot use push_back() with , xrefs: 00102F0C
cannot use operator[] with a string argument with , xrefs: 00102F61, 00102FB6, 0010300B, 00103060, 001030BA
4oST, xrefs: 0010288A
4oST, xrefs: 00102C6C
4oST, xrefs: 00102A28
4oST, xrefs: 001024D8
4oST, xrefs: 00102116
4oST, xrefs: 001028DC
4oST, xrefs: 00102CB8
4oST, xrefs: 00102524
4oST, xrefs: 00102162
4oST, xrefs: 00101FA7
4oST, xrefs: 00102A74
ct, xrefs: 00101F77

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$4oST$cannot use operator[] with a string argument with $cannot use push_back() with $ct
API String ID: 0-1099484197
Opcode ID: 75d5fc51640a5041426569c160b13e111f410601e677684cc301fb6d3815de75
Instruction ID: bbf4d838f967c29e60588e63803d12eed919ddadd9de85582a4ffad5961a5a62
Opcode Fuzzy Hash: 75d5fc51640a5041426569c160b13e111f410601e677684cc301fb6d3815de75
Instruction Fuzzy Hash: BDC26670D04298CBDB25DF68C894BEDBBB1AF19304F1481D9E449A7282DB749F85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00101130 Relevance: 18.4, APIs: 1, Strings: 9, Instructions: 857COMMON

Download Yara Rule

APIs

Part of subcall function 000951EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00091CF9,?,001D69D8,76A923A0,?,76A923A0,-001E6880), ref: 0009524B

Concurrency::cancel_current_task.LIBCPMT ref: 00101E22

Part of subcall function 00062B50: ___std_exception_copy.LIBVCRUNTIME ref: 00062BA7

Strings

4oST, xrefs: 00101504
Y T, xrefs: 00101745
4oST, xrefs: 00101791
cannot use push_back() with , xrefs: 00101949, 00101DE0
4oST, xrefs: 001014B8
cannot use operator[] with a string argument with , xrefs: 00101CDE, 00101D31, 00101D6B
OV~, xrefs: 00101719
OV~, xrefs: 0010148C
4oST, xrefs: 00101251

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionRaise___std_exception_copy
String ID: 4oST$4oST$4oST$4oST$OV~$OV~$Y T$cannot use operator[] with a string argument with $cannot use push_back() with
API String ID: 3394888853-2408073570
Opcode ID: eaeb8f8da2009a74580de838de41a8e1c4756baca2bbc18fd1e75f4f757f41c5
Instruction ID: d43066c8d47b1e243cf21035d64fa7fadb151f6f904acb770dd68d3c1ff11fd6
Opcode Fuzzy Hash: eaeb8f8da2009a74580de838de41a8e1c4756baca2bbc18fd1e75f4f757f41c5
Instruction Fuzzy Hash: F1926B70C05298DFDB25DF64C9447DEBBB1AF55300F24829DE489AB282DBB46B84CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001A5A40 Relevance: 16.6, APIs: 3, Strings: 6, Instructions: 872COMMON

Download Yara Rule

Strings

NaN, xrefs: 001A60C8
+Inf, xrefs: 001A61C0
Inf, xrefs: 001A61C9
-Inf, xrefs: 001A61B9
gfff, xrefs: 001A649D
+, xrefs: 001A600D

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2743850093
Opcode ID: 378e753e7d4cdc4ccaae056df1fcadf010a8a215f14ea684a28069bdd34fc845
Instruction ID: a0063cb2220f321b93b03e8036b1e869167793b02497d45fc8eedf15689e5066
Opcode Fuzzy Hash: 378e753e7d4cdc4ccaae056df1fcadf010a8a215f14ea684a28069bdd34fc845
Instruction Fuzzy Hash: 2472F17590CB808FD71ACF28845076ABFE6AF97344F088A5DF8DA9B242D734D945CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00092012 Relevance: 15.2, APIs: 10, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,7591E010,?), ref: 000920AA
GetLastError.KERNEL32 ref: 000920B4
FindFirstFileW.KERNEL32(?,?), ref: 000920CB
GetLastError.KERNEL32 ref: 000920D6
FindClose.KERNEL32(00000000), ref: 000920E2
___std_fs_open_handle@16.LIBCPMT ref: 0009219B

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_open_handle@16
String ID:
API String ID: 2340820627-0
Opcode ID: 7c4e74c4ccb9a59edf652fb1c691b3f675a5bb299d6c90cfa2d1188e8b9b75eb
Instruction ID: 1bc79371d48b546cb2b036999dfb9423b08f8306776688dad16f31c6cef029d9
Opcode Fuzzy Hash: 7c4e74c4ccb9a59edf652fb1c691b3f675a5bb299d6c90cfa2d1188e8b9b75eb
Instruction Fuzzy Hash: 2E717975A00619BFCFA4CF68DC88BADB7B8BF05310F144295E865E3390DB30AA95DB51

Uniqueness

Uniqueness Score: -1.00%

Function 00146E20 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 181memorylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,7591E010,?), ref: 00146F9E
GetProcAddress.KERNEL32(00000000,?), ref: 00146FA9
GetProcessHeap.KERNEL32 ref: 00146FB4
RtlAllocateHeap.NTDLL(00000000,00000000,00010000), ref: 00146FCE
RtlAllocateHeap.NTDLL(?,00000000,00010000), ref: 00147007

Strings

4oST, xrefs: 00146F6C

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Allocate$AddressHandleModuleProcProcess
String ID: 4oST
API String ID: 3330366720-3759581069
Opcode ID: eef7517b73cfa9bbc6a98d071124227c9d7f10ee12e1f2d416a9bea8b568e93c
Instruction ID: fc694cbab9c16a3d6dde777cd83ac0ea40f713cf71ea2e920f0f04f39738b298
Opcode Fuzzy Hash: eef7517b73cfa9bbc6a98d071124227c9d7f10ee12e1f2d416a9bea8b568e93c
Instruction Fuzzy Hash: F981EFB9D04259AFCB14CF99D881AEEFBB0FF49310F14825AE924A7350D7306A01CF55

Uniqueness

Uniqueness Score: -1.00%

Function 000B47AD Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 000B49C4

Strings

1#QNAN, xrefs: 000B48C0
1#SNAN, xrefs: 000B48B9
1#IND, xrefs: 000B48B2
1#INF, xrefs: 000B48E3

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: d98c5c8c08f66037025913b02e5f9839843e72c41cc125b51047765b5f9a6695
Instruction ID: 775bf0c938d610f46c0a3e4315200e1bf342ce5064d623bb5fb715108ddefb1a
Opcode Fuzzy Hash: d98c5c8c08f66037025913b02e5f9839843e72c41cc125b51047765b5f9a6695
Instruction Fuzzy Hash: 82D22771E086298FDB65CE28DC84BEAB7F5EB44315F1441EAD40DE7241EB78AE818F41

Uniqueness

Uniqueness Score: -1.00%

Function 00158080 Relevance: 9.2, Strings: 7, Instructions: 484COMMON

Download Yara Rule

Strings

no such vfs: %s, xrefs: 00158237
RTRIM, xrefs: 001582E8
automatic extension loading failed: %s, xrefs: 001585AC
NOCASE, xrefs: 001583AA
BINARY, xrefs: 001582A5, 001582B4, 001582CE, 0015830E, 00158319, 00158331, 00158383, 00158384
MATCH, xrefs: 00158488, 00158499, 001584B9, 001584BA, 001584D0
sqlite_rename_table, xrefs: 00158464

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: f106afd220187048dbc6ae1ce103661d829d260413d259f970df43063f442abf
Instruction ID: 9be74cc8853d948bd6ac3ae339fb7d13f1fe6e8bd2d1986d692908bdb6a6cdc6
Opcode Fuzzy Hash: f106afd220187048dbc6ae1ce103661d829d260413d259f970df43063f442abf
Instruction Fuzzy Hash: 9E021970A00700DFEB218F65DC85B6B77E5AB50305F14442CEC6AAF691DFB1EA89CB91

Uniqueness

Uniqueness Score: -1.00%

Function 000B32E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,000B35F3,?,?), ref: 000B337A
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,000B35F3,?,?), ref: 000B33A3
GetACP.KERNEL32(?,?,000B35F3,?,?), ref: 000B33B8

Strings

OCP, xrefs: 000B3335
ACP, xrefs: 000B32FF

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: c90eab603ce9579e590f2df18519ffe97aa986c953688a45229f4a295cef347f
Instruction ID: 52fb17b347d3e1fd1c257f79d80d4cd69ac5a8fd863f3b6277ef2c18a111d56d
Opcode Fuzzy Hash: c90eab603ce9579e590f2df18519ffe97aa986c953688a45229f4a295cef347f
Instruction Fuzzy Hash: 23218032604105AADB748F29D945BDBB3E6AF54F50BB68564E90ADB110FF32DF81C350

Uniqueness

Uniqueness Score: -1.00%

Function 000B34BD Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 000B35C5
IsValidCodePage.KERNEL32(?), ref: 000B3603
IsValidLocale.KERNEL32(?,00000001), ref: 000B3616
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 000B365E
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 000B3679

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 0f0d0bbb206c037bfb49535400b198a810008dca693a7e1bcd1d7c4af9ed47e0
Instruction ID: d8212a3b13da65f8e5c784b7657a26f46c1256636569bd0568f83c5b4f87bced
Opcode Fuzzy Hash: 0f0d0bbb206c037bfb49535400b198a810008dca693a7e1bcd1d7c4af9ed47e0
Instruction Fuzzy Hash: 05515E71A00605AFDB60DFA9DC45BFEB7F8AF08700F244569E911EB191EB70DA44CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000B2B48 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

GetACP.KERNEL32(?,?,?,?,?,?,000A72F0,?,?,?,?,?,-00000050,?,?,?), ref: 000B2C07
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,000A72F0,?,?,?,?,?,-00000050,?,?), ref: 000B2C3E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 000B2DA1

Strings

utf8, xrefs: 000B2D10

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 7fc077a3b9e9631ba6b7ff8559bb366d7021a4f8f1912b219b75245943c80613
Instruction ID: 0d75c06f69f61b0c71e03f96f5b0046887d90000293d7b043cc6fbd04c332bd4
Opcode Fuzzy Hash: 7fc077a3b9e9631ba6b7ff8559bb366d7021a4f8f1912b219b75245943c80613
Instruction Fuzzy Hash: 8371F236600606AADB25AF74CC86FFB77E8EF05700F14482AF915DB182EB70ED818761

Uniqueness

Uniqueness Score: -1.00%

Function 0009C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 4d1515993591a0bcd00f3b3fca58cb0ade915d6532a6bf3957ad4d7b4816d890
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: 1D021D71E012199BEF14CFA9D980AAEBBF1FF48314F248269D519E7381D731A941DB90

Uniqueness

Uniqueness Score: -1.00%

Function 000F13F0 Relevance: 6.2, APIs: 4, Instructions: 207fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,001C2EFC,001C2EFC,00000002,?,?), ref: 000F148F
FindNextFileA.KERNEL32(00000000,00000010), ref: 000F15EF
GetLastError.KERNEL32 ref: 000F15FD
FindClose.KERNEL32(00000000), ref: 000F160D

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Find$File$CloseErrorFirstLastNext
String ID:
API String ID: 819619735-0
Opcode ID: 3e63cc000c346a9364b621ac0c1e776b5110fb2e1181a340c278bcfb0af3dcbc
Instruction ID: 156a79f4ee27b522782452e7368a7c55bc6193e5bf87ef69baaeea802a37e1ee
Opcode Fuzzy Hash: 3e63cc000c346a9364b621ac0c1e776b5110fb2e1181a340c278bcfb0af3dcbc
Instruction Fuzzy Hash: 50712A70C0024CDBDB15CF64C894BFDBBB5AF55314F184258E541ABA82D7369E88DB60

Uniqueness

Uniqueness Score: -1.00%

Function 000B2F65 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000B2FB9
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000B3003
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000B30C9

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 93edc1be90998cc3118728112a12b0436f13073b64136b10a2ed4330346cc792
Instruction ID: cfd0b1e7dfe4afe8e9f1bc6d5da2724df91663b80e60616782f902acf91ea994
Opcode Fuzzy Hash: 93edc1be90998cc3118728112a12b0436f13073b64136b10a2ed4330346cc792
Instruction Fuzzy Hash: 886171719102079FDB68EF28CD96BFA77E8EF04310F204679E915C6586EB34DA82DB50

Uniqueness

Uniqueness Score: -1.00%

Function 00098A54 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00098B4C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00098B56
UnhandledExceptionFilter.KERNEL32(?), ref: 00098B63

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b141879b6f71e0b7fe84fd16d87cb50397cd052ca4f0f1b8c15627cbbf9a3f31
Instruction ID: 51510d0bc4a15d697c8859a7c40f1467c87bf58f1fa8df71115bf7e505fe6b92
Opcode Fuzzy Hash: b141879b6f71e0b7fe84fd16d87cb50397cd052ca4f0f1b8c15627cbbf9a3f31
Instruction Fuzzy Hash: 2531B375901218ABCF61DF68DC89BCDBBB8BF08310F5041DAE41CA7251EB749B859F45

Uniqueness

Uniqueness Score: -1.00%

Function 00091F8C Relevance: 4.5, APIs: 3, Instructions: 35COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,0007D027,?,?,?,00084721), ref: 00091F98
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,0007D027,?,?,?,00084721), ref: 00091FC7
GetLastError.KERNEL32(?,0007D027,?,?,?,00084721), ref: 00091FD9

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseErrorFileFirstLast
String ID:
API String ID: 4020440971-0
Opcode ID: 306fc210f491e19e4b47020e9455d895a69fe167369e0c2232c82cfd51df8806
Instruction ID: 1b6263dc6e8919179b6ad0af01f983dbf58e77788bdf9d2d735f5d3e11f2dd8b
Opcode Fuzzy Hash: 306fc210f491e19e4b47020e9455d895a69fe167369e0c2232c82cfd51df8806
Instruction Fuzzy Hash: BFF05E3520420EBFDF506FA5EC049FA7BADEF14370B508634F929C15A1D73189A1A661

Uniqueness

Uniqueness Score: -1.00%

Function 0019C8D0 Relevance: 3.5, APIs: 2, Instructions: 484COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0019CA85
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0019CD87

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 08a3e2016fa4f08bf3e81fd6b302f8a0cb9d243c822405662e840bc1f8d95540
Instruction ID: 8da8d6903e39da1173e3d1d19030a6d893f45d936fec1626222d9767237ff7c4
Opcode Fuzzy Hash: 08a3e2016fa4f08bf3e81fd6b302f8a0cb9d243c822405662e840bc1f8d95540
Instruction Fuzzy Hash: 1602BF70A04602AFDF18CF68C850B6AB7E4BF99354F04866DE899C7650E774ED94CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 001A40A0 Relevance: 3.5, APIs: 2, Instructions: 465COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A4443
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001A44A1

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: c5440fcf590c25723296fd30bd8dd7134001728b0d3188cc1612fd63cfd0dc9b
Instruction ID: bae28312608cf3344927638294ece9210b9ef392212143e360d0e5413678d751
Opcode Fuzzy Hash: c5440fcf590c25723296fd30bd8dd7134001728b0d3188cc1612fd63cfd0dc9b
Instruction Fuzzy Hash: 6602D475E006298BCF19CF6CD8907BDFBB5BFD6310F1942AAE855AB281D7748941C780

Uniqueness

Uniqueness Score: -1.00%

Function 0009360D Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00093067,?,?,?,?,001251DF), ref: 00093645
GetSystemTimeAsFileTime.KERNEL32(?,21FC8FDF,00000000,?,001AE6F2,000000FF,?,00093067,?,?,?,?,001251DF), ref: 00093649

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 319e03274b31e20291943fa86ae1a23889f98e7a1478cd8c57be3feac3397574
Instruction ID: f4df73e77f7a36d1fea67a3fb1dd2d25f1d6cb69e52264f629cbb7ffb57722ce
Opcode Fuzzy Hash: 319e03274b31e20291943fa86ae1a23889f98e7a1478cd8c57be3feac3397574
Instruction Fuzzy Hash: C4F0E5369046A4EFCB018F58DC44B5DB7E9FB08F20F004226F81297BA0CB74A900DF80

Uniqueness

Uniqueness Score: -1.00%

Function 000B8E20 Relevance: 3.0, Strings: 2, Instructions: 463COMMON

Download Yara Rule

Strings

/, xrefs: 000B9358
+, xrefs: 000B9353

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: +$/
API String ID: 0-2439032044
Opcode ID: 128709c3d78b592050f2099eea1845dca92049bbeb02c6047a3e816553cf263d
Instruction ID: 847042e087653e31a9c41f50f626b45a00af7dd906b08c4c767ae8d7896facea
Opcode Fuzzy Hash: 128709c3d78b592050f2099eea1845dca92049bbeb02c6047a3e816553cf263d
Instruction Fuzzy Hash: 6502F470D042469FCB15CF68C8947EEBBF5FF49310F24426AE965AB392D7309A44DBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001920C0 Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

%s-mj%08X, xrefs: 00192318

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %s-mj%08X
API String ID: 0-77246884
Opcode ID: 5a2e0a8028ff38f35049eaeb6619baffb9916aaaaee568f37a6ca0049fad2bb5
Instruction ID: 30a19f8a0d6a1fdc3be573d669d74ffdcc1dff107b32015b6ee6a331ff83ade2
Opcode Fuzzy Hash: 5a2e0a8028ff38f35049eaeb6619baffb9916aaaaee568f37a6ca0049fad2bb5
Instruction Fuzzy Hash: 49428AB4A00205AFDF18CFA9D884BAEBBF5BF58304F148469E81AA7351D775ED81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 000ADA74 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,000ADA6F,?,?,?,?,?,?,00000000), ref: 000ADCA1

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: c7ce38be8ff473711b8027adac105d50612c62c6c5324e67451df7de92d09229
Instruction ID: e0b2a60efb0b0b7ed487288cb1b152aa3d79186f5c25d5f610ced2ba44834895
Opcode Fuzzy Hash: c7ce38be8ff473711b8027adac105d50612c62c6c5324e67451df7de92d09229
Instruction Fuzzy Hash: 96B19F31120609DFD755CF68C48AB647BE0FF46364F25865AE8DACF6A1C335E981CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0019F280 Relevance: 1.7, APIs: 1, Instructions: 167COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0019F2FD

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: __allrem
String ID:
API String ID: 2933888876-0
Opcode ID: c44bbcc0f39f7b0d23c97f2dc5159623da48b00775b52752b9f1f5bb8d69db2a
Instruction ID: b28bd48ee2359256747c14045d8d412dc3e355802665030cd1c04762dd3d0c7f
Opcode Fuzzy Hash: c44bbcc0f39f7b0d23c97f2dc5159623da48b00775b52752b9f1f5bb8d69db2a
Instruction Fuzzy Hash: 4A617C31614744DFCB19CF6DC88066ABBF1BF95300B0886AED886DB752C734EA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000B31B8 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 000B320C

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: d5b613b04f63b98e3f4043c33868f923c108da7331888de48e7e52aa166316f3
Instruction ID: 69949a8ad4c1eabdbae88ab9574e08c4875317795a3cee72b5f18e910306c7a7
Opcode Fuzzy Hash: d5b613b04f63b98e3f4043c33868f923c108da7331888de48e7e52aa166316f3
Instruction Fuzzy Hash: A4218E32601216ABDF289B64DC82AFB77E8EF45310F20007AF901D6242EB75EE459B50

Uniqueness

Uniqueness Score: -1.00%

Function 000B2E3F Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

EnumSystemLocalesW.KERNEL32(000B2F65,00000001,00000000,?,?,?,000B3599,?), ref: 000B2EB1

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a14269743c117a582ef612a0503a573a0f553106fe2272f52715738b8a91ccab
Instruction ID: f710693b1d17368bf6b46b648d29295e92a9772493fabd590a974cb337f999ea
Opcode Fuzzy Hash: a14269743c117a582ef612a0503a573a0f553106fe2272f52715738b8a91ccab
Instruction Fuzzy Hash: E011253B2103015FDB18DF39D8916FAB7A1FF84368B14443DE98687B40D771A842CB40

Uniqueness

Uniqueness Score: -1.00%

Function 000B33E7 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,000B3181,00000000,00000000,?), ref: 000B3413

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: dee55a822138f7e8a7193a66f68527392702b396c7739621871198e1faaa2751
Instruction ID: 5fed1a2ad868c6172a291b685d79db92128c6cd82ae95061e6d5e300e022dd76
Opcode Fuzzy Hash: dee55a822138f7e8a7193a66f68527392702b396c7739621871198e1faaa2751
Instruction Fuzzy Hash: 7901D632A10126BBDF299A24CC45AFA37A4EB40354F264428AC46A7180EB34FF41D690

Uniqueness

Uniqueness Score: -1.00%

Function 000B2D4D Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 000B2DA1

Strings

utf8, xrefs: 000B2D10

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: 458d6b420c5a7560bb54e9cabe247cc4618878e176461bba5755b0f32fa59b5f
Instruction ID: eb518002fe9081179fa677ce7ee518aa1a2e4451f97b41f1e5af42c2b0c62f4b
Opcode Fuzzy Hash: 458d6b420c5a7560bb54e9cabe247cc4618878e176461bba5755b0f32fa59b5f
Instruction Fuzzy Hash: 09F0A432640105ABCB14EB64DC56EFA73E8DF45315F110179F512DB282DA74AD059750

Uniqueness

Uniqueness Score: -1.00%

Function 000B2EDA Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

EnumSystemLocalesW.KERNEL32(000B31B8,00000001,?,?,?,?,000B3561,?,?,?,?), ref: 000B2F24

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5e23cb640ec5eaf2ae5ab673c725dc8c5a22ec56633a468450c5657755a01e8e
Instruction ID: 80233339d070f1e47ab94a2d9c2fd71082cc6b3ecee9f48b7a4b87ddac938cf9
Opcode Fuzzy Hash: 5e23cb640ec5eaf2ae5ab673c725dc8c5a22ec56633a468450c5657755a01e8e
Instruction Fuzzy Hash: B9F0C2362003055FDB149F39D881ABABBE5EF81768B55443DFA454B681D671AC42CA50

Uniqueness

Uniqueness Score: -1.00%

Function 000AB1A3 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A423B: RtlEnterCriticalSection.NTDLL(-001E5967), ref: 000A424A

EnumSystemLocalesW.KERNEL32(000AB196,00000001,001D7298,0000000C,000AB5CB,?,?,?,?), ref: 000AB1DB

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 1bb47c239ba119dcfc9d1f623a1d46f85124915a3f1f2a4674ce82c543e2a0b7
Instruction ID: 8aec8d01d67e548d6f15cd1bf303a9a0993a6df6e3dab2de4dc7a57c6089343e
Opcode Fuzzy Hash: 1bb47c239ba119dcfc9d1f623a1d46f85124915a3f1f2a4674ce82c543e2a0b7
Instruction Fuzzy Hash: D5F08776A04200AFDB10DFA8E842B8CB7B0EB09720F10815AF4109B2A2CBB55A408F50

Uniqueness

Uniqueness Score: -1.00%

Function 000B2DF4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000A9E32: GetLastError.KERNEL32(00000000,?,000AF819), ref: 000A9E36
Part of subcall function 000A9E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 000A9ED8

EnumSystemLocalesW.KERNEL32(000B2D4D,00000001,?,?,?,000B35BB,?,?,?,?), ref: 000B2E2B

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 5b939f7e3e0872a6c3684521b191f83e982472ae71a867774e53f7dcc1352f1c
Instruction ID: f8c25a73d061d1ff58f1f4eda822f64fa3582108f03f56ee6b0b9337870e145e
Opcode Fuzzy Hash: 5b939f7e3e0872a6c3684521b191f83e982472ae71a867774e53f7dcc1352f1c
Instruction Fuzzy Hash: 45F0E53630020557CB14EF36D8456ABBF94EFC2710B464059EA168F751C671D843CB90

Uniqueness

Uniqueness Score: -1.00%

Function 000AB726 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,?,?,?,?,000A7E66,?,20001004,?,00000002,?,?,000A7458), ref: 000AB75A

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: b9b289b668b4597c2dd4fbc65d484ab84cf4fb26da6214256990feded6436165
Instruction ID: ac27871c92b29de26d2a60b1c810739bbc391c0917a67ab749341772f67e2528
Opcode Fuzzy Hash: b9b289b668b4597c2dd4fbc65d484ab84cf4fb26da6214256990feded6436165
Instruction Fuzzy Hash: 22E04F3150021CBBCF123FA0DC48AEE3F66EF46761F044111FD0565172CB729960ABD5

Uniqueness

Uniqueness Score: -1.00%

Function 0014BFC0 Relevance: .8, Instructions: 763COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
Instruction ID: 878174dbf5aff41fdc09f75b36a645431e767394eb96d3daeec0866e9919d909
Opcode Fuzzy Hash: e66eafb21ff0ac23a1e243a383367402beece03311f5ec548545498dddb0c253
Instruction Fuzzy Hash: AD3273B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684

Uniqueness

Uniqueness Score: -1.00%

Function 00150350 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9c9f5395dbdcb4626e82820b376a20c7e32561f895b52bb09c534990b299cb
Instruction ID: e4a57b700e34f04f10233b4547bbc523c80f3c7b743e53882227d59f0d492375
Opcode Fuzzy Hash: 3a9c9f5395dbdcb4626e82820b376a20c7e32561f895b52bb09c534990b299cb
Instruction Fuzzy Hash: 6B625AB1E00205DBDB16CF99C5847ADBBB1BF48309F2881A9DC64AF242D775D94ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 7F5A0000 Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3553957221.000000007F5A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 7F5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f5a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ae0bc7da4daf42cb7dd2ccaf3ed764511ab6115a11b282037d05a21980b2fe9
Instruction ID: c126a75dfb8f1e936d93d3a3b6d280e4b0ce2f42f68e56548bed33f1373bbd85
Opcode Fuzzy Hash: 4ae0bc7da4daf42cb7dd2ccaf3ed764511ab6115a11b282037d05a21980b2fe9
Instruction Fuzzy Hash: 12F166B2E002106BF3048D29DC84B9B7A9BEBC4324F6A863DEE0E677C5D5765D1287D1

Uniqueness

Uniqueness Score: -1.00%

Function 001A4AE0 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157005189a0b79073f2a6471fda368ce7040346b24c23a8facd3e4425d97c23e
Instruction ID: 9502dd087c247011fcf834dee454908d82f5f2fe8cfd6ec0cc3107d223ece442
Opcode Fuzzy Hash: 157005189a0b79073f2a6471fda368ce7040346b24c23a8facd3e4425d97c23e
Instruction Fuzzy Hash: 3EF18F3A9092928FDB158E3CC4913EDBF62AFE7310F1846A6C49597387D3B8D905C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0008F570 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2deecbe3ee60a011d5856fdee5848cba5150375c33bcb85bf53e5887f2a007a
Instruction ID: 25910bc93db4fb99b3706c687d0c25f062537a2e73e9be3507c74bb696fff99d
Opcode Fuzzy Hash: c2deecbe3ee60a011d5856fdee5848cba5150375c33bcb85bf53e5887f2a007a
Instruction Fuzzy Hash: CFE11372E1022A9FCB05CFA8D8816ADFBF1FF88310F1942A9D855B7340D670AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 000A035F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d47f9fcafd0f2a9037f6dc50320954361fda6c5561af363a2318e7d104d0e1db
Instruction ID: e908a21985911f79f42276a4261bd924629670d1a245cf359a19c9120cadc31c
Opcode Fuzzy Hash: d47f9fcafd0f2a9037f6dc50320954361fda6c5561af363a2318e7d104d0e1db
Instruction Fuzzy Hash: 70C1C9B0900B0E8FCB74CFE8C5946BABBF5BF4B304F144619DA969B692C331A945CB11

Uniqueness

Uniqueness Score: -1.00%

Function 000B25FE Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 5557a5b447a7e3add44bd49d1e77c30da2a1c5eec5368febcf9f777a98da3850
Instruction ID: df339f67432f25bbf3ba1e2a2781e294ed38081423317688d4ca6081f0e3b400
Opcode Fuzzy Hash: 5557a5b447a7e3add44bd49d1e77c30da2a1c5eec5368febcf9f777a98da3850
Instruction Fuzzy Hash: 6AB115355007069BCB389B64CC92BFBB3E8FF55308F54456DEA86C6681EE74E986CB10

Uniqueness

Uniqueness Score: -1.00%

Function 7F5A06DA Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3553957221.000000007F5A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 7F5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f5a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37871e876a0709476e21d6355c9596110cb6e566f0dc8a76eccda1d0de5faa80
Instruction ID: b6a6e085e93fcc4015bf65d9d48e96d572ee4628668e2780e5671de4c7548e55
Opcode Fuzzy Hash: 37871e876a0709476e21d6355c9596110cb6e566f0dc8a76eccda1d0de5faa80
Instruction Fuzzy Hash: 6891B9B3B142055BF3088D29DCC0BAB7B9BEBD4324F25823DD94A5B3C4E5761C228791

Uniqueness

Uniqueness Score: -1.00%

Function 001A3160 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3f7b13948713fc05010b50662c4ce3fdda74f4e130956dee37b10c8a19110a
Instruction ID: abc9bfe8d42fa38192db2a096677176f4ac6fd848457f35a539b152713d6985f
Opcode Fuzzy Hash: ee3f7b13948713fc05010b50662c4ce3fdda74f4e130956dee37b10c8a19110a
Instruction Fuzzy Hash: F3A13BB9A056069FDB14CF69D440769FBE1FF4A314B28C56AE829CB311E731EE11CB80

Uniqueness

Uniqueness Score: -1.00%

Function 000B8BA0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec0285caa0e15a39a280ea05994e11302f65cd081bf085db4419cdb56dc1662d
Instruction ID: a59efee24b59e0e4df094cdf32e739ecc42519f67da5934d983c7d575efa7913
Opcode Fuzzy Hash: ec0285caa0e15a39a280ea05994e11302f65cd081bf085db4419cdb56dc1662d
Instruction Fuzzy Hash: AF8104B5E002868FDB118F68D8D17FEBBF8EB2A300F444169D9549B793CB359909C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 0014CFC0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24d872cb12409e63d79b5a5825687b94122ab3084bd8c518075bf89503609aa9
Instruction ID: 42d92bede77ea8803b5fce8ddabfb2a2093e33ed7e5e6340f9ac435f5ea5fe6c
Opcode Fuzzy Hash: 24d872cb12409e63d79b5a5825687b94122ab3084bd8c518075bf89503609aa9
Instruction Fuzzy Hash: 546123316241658FE718CF1EFCD0C267F62A38A3113854619EA81CB695C739F966DBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0009A918 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: 0cfa2e960daff54f3af09338c8d2dd65047d9a2520ee6d702d92d38ee4986bae
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: CF518F72E0011AAFDF14CF98C941AEEBBF6FF89304F198459E915AB201D734AA40DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00097190 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 92bc1e173671fb7fd787530486469d29a367d4b5758a5343820300fe84fbf35b
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: D9112B7726809143DEA8873DD8B46BBA7D5FFC532072C437AD4594BB58E122E945BA00

Uniqueness

Uniqueness Score: -1.00%

Function 7F5A1AC0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3553957221.000000007F5A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 7F5A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f5a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddb511bfe9e772207caf9189944069cd9798f1b243b634550cda5e5aeacc398
Instruction ID: aa1c7ac8d0ebde425359986f1cc1f67bc2e7ce176ec905b13d58ad9f36a3a0bc
Opcode Fuzzy Hash: 2ddb511bfe9e772207caf9189944069cd9798f1b243b634550cda5e5aeacc398
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00146470 Relevance: 40.7, APIs: 18, Strings: 5, Instructions: 423libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,7591E010,?), ref: 00146650
GetProcAddress.KERNEL32(00000000,?), ref: 00146660
GetModuleHandleA.KERNEL32(?), ref: 00146778
GetProcAddress.KERNEL32(00000000,?), ref: 00146782
OpenProcess.KERNEL32(00000040,00000000,?), ref: 0014678E
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000), ref: 001467FD
CloseHandle.KERNEL32(?), ref: 00146830
CloseHandle.KERNEL32(?), ref: 00146856
CloseHandle.KERNEL32(00000000), ref: 00146876
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 00146A18
ResetEvent.KERNEL32(00000000), ref: 00146A21
CreateThread.KERNEL32(00000000,00000000,00146B50,?,00000000,00000000), ref: 00146A45
WaitForSingleObject.KERNEL32(00000000,00000064), ref: 00146A51
RtlUnicodeStringToAnsiString.NTDLL(?,?,00000001), ref: 00146A97
CloseHandle.KERNEL32(?), ref: 00146AD8
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000001), ref: 00146AE4
CloseHandle.KERNEL32(?), ref: 00146B03
TerminateThread.KERNEL32(?,00000000), ref: 00146B31

Strings

4oST, xrefs: 00146742
File, xrefs: 001468A0
@!29, xrefs: 001468DA
4oST, xrefs: 0014696C
|@], xrefs: 001468B4

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Handle$Close$Process$AddressCreateCurrentEventModuleProcStringThread$AnsiObjectOpenResetSingleTerminateUnicodeWait
String ID: 4oST$4oST$@!29$File$|@]
API String ID: 3681783469-1165558708
Opcode ID: 56400270fae1aeb02848b5dd9a8f9938bbe19ced7e33c1a00387010a8ce74e06
Instruction ID: 4a08547701bc4352d787bf713e47cd3543d08f91bcb8459c5c773aa9081d5c1e
Opcode Fuzzy Hash: 56400270fae1aeb02848b5dd9a8f9938bbe19ced7e33c1a00387010a8ce74e06
Instruction Fuzzy Hash: E122C0B4D002599FDB25CF98D981BEEBBB1BF08314F244199E909B7351D7306A81CFA6

Uniqueness

Uniqueness Score: -1.00%

Function 000B79D3 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 000B79EC

Strings

log10, xrefs: 000B7A2E, 000B7A3D
acos, xrefs: 000B7B22
asin, xrefs: 000B7B19
exp, xrefs: 000B7A6B, 000B7AD0
log, xrefs: 000B7A49, 000B7A58
pow, xrefs: 000B7A8A, 000B7B34, 000B7B81
sqrt, xrefs: 000B7B2B

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: ea11668c9c2cf7007fa8d83ab26951b4763aaffe27ae808d6b3e5f2b2191ef4d
Instruction ID: fe1fd3b547c19174a643445ed7a727bc1e02766a004bd1865f8bd33b7b62c385
Opcode Fuzzy Hash: ea11668c9c2cf7007fa8d83ab26951b4763aaffe27ae808d6b3e5f2b2191ef4d
Instruction Fuzzy Hash: 6151B07090860ACBCF648FA8D94CAED7FF4FF85310F554184D485AB264CBB48A65CF56

Uniqueness

Uniqueness Score: -1.00%

Function 000972C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 000972F7
___except_validate_context_record.LIBVCRUNTIME ref: 000972FF
_ValidateLocalCookies.LIBCMT ref: 00097388
__IsNonwritableInCurrentImage.LIBCMT ref: 000973B3
_ValidateLocalCookies.LIBCMT ref: 00097408

Strings

W, xrefs: 000973A5, 000973AE, 000973BF
csm, xrefs: 0009739D

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm$W
API String ID: 1170836740-4264767586
Opcode ID: 55445d0f5d6d7e2a5f5bd640b0b48ae3935079d10e67d39075ce413ee18dbefc
Instruction ID: d525fbca9654b7866d59438a9395abbe7e16abe6020aaba4f6df78f952a3b9ef
Opcode Fuzzy Hash: 55445d0f5d6d7e2a5f5bd640b0b48ae3935079d10e67d39075ce413ee18dbefc
Instruction Fuzzy Hash: 5A41AF35A24209ABCF20DF68C885ADEBBE5AF45314F14C155FC1C9B392D771EA01EB91

Uniqueness

Uniqueness Score: -1.00%

Function 000ABB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 000ABBDE

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 513a81706ba9079000e8ac1fbd1f2d5c0b24137e1ce3ca203ba930ed99968838
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: FCB10372A04355AFDB21CFA8CC81BEE7BE5EF56310F188155E904AF283EB749941C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 000AB370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,000AB47F,?,?,00000000,00000001,?,?,000AB6A9,00000022,FlsSetValue,001BEB88,001BEB90,00000001), ref: 000AB431

Strings

api-ms-, xrefs: 000AB3C7
ext-ms-, xrefs: 000AB3DB

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 89b7fd357e28f6f36e43ffc4b93881a4a718b251f938dd2ecb3ec259b58aa7d3
Instruction ID: 7dcba9c66c2ca53fb795e4625455be986b2604278bbe46cc93d3db6875b7513a
Opcode Fuzzy Hash: 89b7fd357e28f6f36e43ffc4b93881a4a718b251f938dd2ecb3ec259b58aa7d3
Instruction Fuzzy Hash: 3821E732A41211ABCB319BF5EC41A9E77D8DF47760F140221F905AB693DB30EE40C6D0

Uniqueness

Uniqueness Score: -1.00%

Function 00133F50 Relevance: 9.2, APIs: 6, Instructions: 164fileCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000), ref: 00133F83
6D1B7CF0.RSTRTMGR(?,00000000,?), ref: 00134000
SetLastError.KERNEL32(00000000), ref: 001340AE
CopyFileA.KERNEL32(?,?,00000000), ref: 001340D5
GetLastError.KERNEL32(?,?,00000000), ref: 001340E3
CopyFileA.KERNEL32(?,?,00000000), ref: 001340F7

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CopyFile
String ID:
API String ID: 936320341-0
Opcode ID: 2d3caf735e3771916fa4aa27ec6c6a046de343fe34f439ebaaf1c5a7149b84e3
Instruction ID: 7633d46bba6f616548af3255b2b7a72ca11538c7df83fe2a10d2fd4a5cc321e3
Opcode Fuzzy Hash: 2d3caf735e3771916fa4aa27ec6c6a046de343fe34f439ebaaf1c5a7149b84e3
Instruction Fuzzy Hash: 9251AF72D01219ABDB21DFA4CC45BEEBBB8EF08320F10426AE914B3290D7756E45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0007A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0007A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0007A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0007A0E7
__Getctype.LIBCPMT ref: 0007A1C5
std::_Facet_Register.LIBCPMT ref: 0007A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0007A223

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 2ae86ed1a812b691771102ea707580e711075bd34309d3885b3d7268a93dc7b9
Instruction ID: 34de7b258e2275ebd2c1d4b661223919f365fb6861d881b9ef86c50c6ed9a0aa
Opcode Fuzzy Hash: 2ae86ed1a812b691771102ea707580e711075bd34309d3885b3d7268a93dc7b9
Instruction Fuzzy Hash: 9C518BB0D01249DFDB10CF98C98579EBBF0BB51714F14815DE849AB382D778AA44CBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00146B50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00146C7E
GetProcAddress.KERNEL32(00000000,?), ref: 00146C8A
CreateEventA.KERNEL32(00000000,00000001,00000000,?), ref: 00146E05
SetEvent.KERNEL32(00000000), ref: 00146E0C

Strings

4oST, xrefs: 00146BCB

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Event$AddressCreateHandleModuleProc
String ID: 4oST
API String ID: 2341598627-3759581069
Opcode ID: 1d0a4e14968bb6de89185265769a7d4cd2457ca7acb64b0da5ded1848adf64e5
Instruction ID: 1822a394adf80b1913473d18c4796918d1bd67bc113e978beefe0b13d1cd447d
Opcode Fuzzy Hash: 1d0a4e14968bb6de89185265769a7d4cd2457ca7acb64b0da5ded1848adf64e5
Instruction Fuzzy Hash: E1819AB85083829FC304CF59C480A5BFBE1AF98780F50491EF99587361D770EA8ACF96

Uniqueness

Uniqueness Score: -1.00%

Function 000A3623 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,21FC8FDF,?,?,00000000,001AE6D5,000000FF,?,000A35FF,?,?,000A35D3,00000016), ref: 000A3658
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000A366A
FreeLibrary.KERNEL32(00000000,?,00000000,001AE6D5,000000FF,?,000A35FF,?,?,000A35D3,00000016), ref: 000A368C

Strings

mscoree.dll, xrefs: 000A3651
CorExitProcess, xrefs: 000A3662

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2d2d6f89a974527dc8b2b49416340ceef976135419259196c522ff469a4ed56b
Instruction ID: 99971693b39cfa3960c29ac6ffd4d7dc33259b35f567e7a4b6a56e0e0425167c
Opcode Fuzzy Hash: 2d2d6f89a974527dc8b2b49416340ceef976135419259196c522ff469a4ed56b
Instruction Fuzzy Hash: 1E01D631A44659FFCB158F94DC09BAEBBF8FF04B14F404629F812E26D0DBB49A40CA90

Uniqueness

Uniqueness Score: -1.00%

Function 0007C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0007C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0007C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0007C4A4
std::_Facet_Register.LIBCPMT ref: 0007C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0007C5C4

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 85f0172595599487112cfd142512ab865eeb2e5bae8e4d65f1001f1768a3ddf2
Instruction ID: e794ef0d79fcd4fae4942ff8135093b097ea4bc2a6cd85876dde2dab957f184e
Opcode Fuzzy Hash: 85f0172595599487112cfd142512ab865eeb2e5bae8e4d65f1001f1768a3ddf2
Instruction Fuzzy Hash: FC51ADB0900254DBEB21DF98C954BAEBBF0FF10354F24815DE849AB381D779AA44CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00092BB8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00092BCC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00092BEB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00092C19
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00092C74
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00092C8B

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: d249828358eb0b5c692f5c639f340335360bd7ea305d8ab9e748820944580baa
Instruction ID: c1dce24c387f39263eb2542ef8970910cf4b3b5d78b90457b0766357d9fea9b3
Opcode Fuzzy Hash: d249828358eb0b5c692f5c639f340335360bd7ea305d8ab9e748820944580baa
Instruction Fuzzy Hash: 7E416CB190060AEFCF20DF65D4959AEB3F4FF08350B604A29E45AD7A41D730F984EB61

Uniqueness

Uniqueness Score: -1.00%

Function 00133B40 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 278fileCOMMON

Download Yara Rule

APIs

CopyFileA.KERNEL32(?,?,00000000), ref: 00133DD0

Part of subcall function 00133F50: GetLastError.KERNEL32(?,00000000), ref: 00133F83
Part of subcall function 00133F50: 6D1B7CF0.RSTRTMGR(?,00000000,?), ref: 00134000

std::_Throw_Cpp_error.LIBCPMT ref: 00133F34
std::_Throw_Cpp_error.LIBCPMT ref: 00133F45

Strings

4oST, xrefs: 00133D17

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CopyErrorFileLast
String ID: 4oST
API String ID: 1723067277-3759581069
Opcode ID: 0a7d920167be588a84ce598297174bdaf7c0f847ac785c820fd264eba158a396
Instruction ID: b375b1c16f87b0d08f2805cdf1cbd5de6e4db00e5f9310383e63e50820992e1c
Opcode Fuzzy Hash: 0a7d920167be588a84ce598297174bdaf7c0f847ac785c820fd264eba158a396
Instruction Fuzzy Hash: 9CD17AB0D01289DFDB14CFA8C9417EEFBB1AF55314F244299D4197B282DB345B89CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00064900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0006499F

Part of subcall function 000951EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00091CF9,?,001D69D8,76A923A0,?,76A923A0,-001E6880), ref: 0009524B

Strings

ios_base::failbit set, xrefs: 00064828, 00064941
ios_base::badbit set, xrefs: 00064937, 00064962
ios_base::eofbit set, xrefs: 00064946

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 1581e80587e6b8daa44fe69852b18e7d128d5b536740a4d7fa55f5c0ee0d5a76
Instruction ID: 630eb75fff6ceee5490e18e8366e05f9f7d90fd857c6e2eb1598794a1e9f93a0
Opcode Fuzzy Hash: 1581e80587e6b8daa44fe69852b18e7d128d5b536740a4d7fa55f5c0ee0d5a76
Instruction Fuzzy Hash: C51102B29446447BCB20DE58CC03FEA73D8AB05710F044629FE59972C2EB75A904C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 000A8E8F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(21FC8FDF,00000000,00000000,?), ref: 000A8EF2

Part of subcall function 000AEC43: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,000AA854,?,00000000,-00000008), ref: 000AECA4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 000A9144
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 000A918A
GetLastError.KERNEL32 ref: 000A922D

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 7636d94ad3751d862b8bec33b8594fdba9396ac79f869ed5ebaff3d6bb18cb94
Instruction ID: e65a84546c438df29d0ce4c915c220f1d0148db60e61f9c0599b5dff6435180d
Opcode Fuzzy Hash: 7636d94ad3751d862b8bec33b8594fdba9396ac79f869ed5ebaff3d6bb18cb94
Instruction Fuzzy Hash: 17D16A75E04249AFCF15CFE8D884AEDBBF9FF0A314F24452AE41AEB251D630A941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00091EFC Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,?,?,?,?,00000000,00000000,?,?,?,0007A856,00000000,?,?,00000000), ref: 00091F19
GetLastError.KERNEL32(?,0007A856,00000000,?,?,00000000,00000000,?,?), ref: 00091F25
WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000,?,0007A856,00000000,?,?,00000000,00000000,?), ref: 00091F4B
GetLastError.KERNEL32(?,0007A856,00000000,?,?,00000000,00000000,?,?), ref: 00091F57

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 60783e63372a670c30338fd533e5b0dadff9c602bf226e6b8126a1a5cda0dd8f
Instruction ID: eb292b1822ec88d08f5fbeb204d5ab1d0faf500ba8d64f0bf44ce67ec928d354
Opcode Fuzzy Hash: 60783e63372a670c30338fd533e5b0dadff9c602bf226e6b8126a1a5cda0dd8f
Instruction Fuzzy Hash: 3C01FF32B0415EBB8F221E56DC09C9F3E6AEBD97A0F104124FE1555220C7318862A7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00092719 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00092720
std::_Lockit::_Lockit.LIBCPMT ref: 0009272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00092799

Part of subcall function 0009287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00092894

std::locale::_Setgloballocale.LIBCPMT ref: 00092746

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 0cf837a08eb5abca7119e37ff271119d2697ce39ad6460f2457ab0f529b1eb01
Instruction ID: af1a3f3e5131a7cf412afe0f3badfa2483e1c722315e78c91d4da8b6074a0c23
Opcode Fuzzy Hash: 0cf837a08eb5abca7119e37ff271119d2697ce39ad6460f2457ab0f529b1eb01
Instruction Fuzzy Hash: AA01F735A00610ABCF05EB70C8455BD77B1FF84780F184019E80117392CF749E82EBC2

Uniqueness

Uniqueness Score: -1.00%

Function 000B6D22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,000B3DBC,?,00000001,?,?,?,000A9281,?,00000000,00000000), ref: 000B6D39
GetLastError.KERNEL32(?,000B3DBC,?,00000001,?,?,?,000A9281,?,00000000,00000000,?,?,?,000A985B,?), ref: 000B6D45

Part of subcall function 000B6D0B: CloseHandle.KERNEL32(FFFFFFFE,000B6D55,?,000B3DBC,?,00000001,?,?,?,000A9281,?,00000000,00000000,?,?), ref: 000B6D1B

___initconout.LIBCMT ref: 000B6D55

Part of subcall function 000B6CCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,000B6CFC,000B3DA9,?,?,000A9281,?,00000000,00000000,?), ref: 000B6CE0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,000B3DBC,?,00000001,?,?,?,000A9281,?,00000000,00000000,?), ref: 000B6D6A

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a56d710da464ab100bb9bb1615bbde86284fa107a316080c16d3824b2640f475
Instruction ID: 1a9aac75b2ba5e26ee5251fa4822f73e6871f3d01d1dd28eeb0fcc1db662cce4
Opcode Fuzzy Hash: a56d710da464ab100bb9bb1615bbde86284fa107a316080c16d3824b2640f475
Instruction Fuzzy Hash: FFF0A536940158BBCF622FE5DC18EDA3F6AFF483A1F454514FA1C95621C7368CA0DB92

Uniqueness

Uniqueness Score: -1.00%

Function 00066180 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00066587

Strings

: ", xrefs: 000663AE
", ", xrefs: 000663D8

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: ", "$: "
API String ID: 4194217158-747220369
Opcode ID: 9b62463a2143d1fd51a1965e28bbf1b06b7db7c24634945cd93ddf542bcc2661
Instruction ID: 9e25e1b0b00c3235ec14422d906351c6be277f9c4a1fb2fc4f07f68e45efe45c
Opcode Fuzzy Hash: 9b62463a2143d1fd51a1965e28bbf1b06b7db7c24634945cd93ddf542bcc2661
Instruction Fuzzy Hash: D2D1D570E00605DFCB24DFA8C845AAEBBF6FF85310F10462DE46697382DB75AA44DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00067350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0006750C
___std_exception_destroy.LIBVCRUNTIME ref: 00067522

Strings

[json.exception., xrefs: 000673A1

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: f1f31d44331ae9b7e86522e1cd75bd5e0cbe79977b052ad2bf7fee1a4f61d993
Instruction ID: eb2d69fce2e65a98b44901c15b9bb31cb159ecf7d35a02702b361052006b407a
Opcode Fuzzy Hash: f1f31d44331ae9b7e86522e1cd75bd5e0cbe79977b052ad2bf7fee1a4f61d993
Instruction Fuzzy Hash: 6251F3B0D007489FDB10DF68C905BDEFBB4EF11314F148259E854A7382E7B89A44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000647F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0006499F

Part of subcall function 000951EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00091CF9,?,001D69D8,76A923A0,?,76A923A0,-001E6880), ref: 0009524B

Strings

ios_base::failbit set, xrefs: 00064828
ios_base::badbit set, xrefs: 00064937, 00064962

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: f7c8c209da374ba653db1ae404c5c9c1f586fb3ec65ffd9acf2d94bba4fef6dd
Instruction ID: c634b1d276a4a7a516962b84aa772b5d1a77462d51b8fa16823e1f93a16fcbab
Opcode Fuzzy Hash: f7c8c209da374ba653db1ae404c5c9c1f586fb3ec65ffd9acf2d94bba4fef6dd
Instruction Fuzzy Hash: 814101B1904248AFCB04DF58CD46BEEBBF9EF05710F148219F554A7282EB759A04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00064040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00064061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000640C4

Strings

bad locale name, xrefs: 000640E6

Memory Dump Source

Source File: 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, Offset: 00060000, based on PE: true

Associated: 00000000.00000002.3549401683.0000000000060000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001E2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549484223.00000000001F2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.00000000001FC000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000201000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.0000000000351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000003E0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.00000000006F8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3550003524.000000000099D000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_60000_SecuriteInfo.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 6050fa3594c86a3b61a08b22c750337a3da9e590cba0ce7a2b3291378b673159
Instruction ID: f8130170e486289950fd9ea67a731cc0d11a353a1c9dc2ffdcc8e5d40fb01f25
Opcode Fuzzy Hash: 6050fa3594c86a3b61a08b22c750337a3da9e590cba0ce7a2b3291378b673159
Instruction Fuzzy Hash: 7B11D370905B84EED721CF68C50478BBFF4AF15714F148A8DD09597B82D3B59A04C791

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MPGPH131.exePID: 1440, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1915
Total number of Limit Nodes:	34

Executed Functions

Function 00F94EB0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000002DC,0000FFFF,00001006,?,00000008), ref: 00F94F56
recv.WS2_32(?,00000004,00000002), ref: 00F94F71
WSAGetLastError.WS2_32 ref: 00F94F75
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00F94FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00F95014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 00F950B0
recv.WS2_32(00000000,?,00000008), ref: 00F950CB

Part of subcall function 00F95940: WSAStartup.WS2_32 ref: 00F9596A
Part of subcall function 00F95940: getaddrinfo.WS2_32(?,?,?, |), ref: 00F959EC
Part of subcall function 00F95940: socket.WS2_32(?,?,?), ref: 00F95A0D
Part of subcall function 00F95940: connect.WS2_32(00000000,01026B31,?), ref: 00F95A21
Part of subcall function 00F95940: closesocket.WS2_32(00000000), ref: 00F95A2D
Part of subcall function 00F95940: FreeAddrInfoW.WS2_32(?), ref: 00F95A3A
Part of subcall function 00F95940: WSACleanup.WS2_32 ref: 00F95A40

recv.WS2_32(?,00000004,00000008), ref: 00F951D3
__Xtime_get_ticks.LIBCPMT ref: 00F951DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F951E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00F95261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00F95269

Strings

|, xrefs: 00F94F05

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID: |
API String ID: 3089209366-1327881656
Opcode ID: fad7286ff40069ccb4a10a7126c5e984344ef0d3dc4316e0999fe464bcf3cf48
Instruction ID: 6ee0878d08dfe24425b2504b10445b220ab5b62cd90539330f0ff5e9f0438d5b
Opcode Fuzzy Hash: fad7286ff40069ccb4a10a7126c5e984344ef0d3dc4316e0999fe464bcf3cf48
Instruction Fuzzy Hash: C8B18CB1D00308DFEF25DFA4CC49BAEBBB5BB45710F204219E494AB2D2D77A5984DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F95940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00F9596A
getaddrinfo.WS2_32(?,?,?, |), ref: 00F959EC
socket.WS2_32(?,?,?), ref: 00F95A0D
connect.WS2_32(00000000,01026B31,?), ref: 00F95A21
closesocket.WS2_32(00000000), ref: 00F95A2D
FreeAddrInfoW.WS2_32(?), ref: 00F95A3A
WSACleanup.WS2_32 ref: 00F95A40
FreeAddrInfoW.WS2_32(?), ref: 00F95A55

Strings

|, xrefs: 00F959C8

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID: |
API String ID: 448659506-1327881656
Opcode ID: 3f92dbbb1762c88d0249a46ef7e13eec5947024b36e0c5caa2ef293fc3734f8f
Instruction ID: 1b6d2f59a97e5231b2a506efa6c9ed691a97c5919bb6ee67363efa3fecd4bcea
Opcode Fuzzy Hash: 3f92dbbb1762c88d0249a46ef7e13eec5947024b36e0c5caa2ef293fc3734f8f
Instruction Fuzzy Hash: DA31F272A04700AFE7319F64DC84A6BBBE4FB85B34F20471DF8A593190D77998049B96

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0101A4DC,00000000,76A923A0,-01056880), ref: 00ED96A6
GetProcAddress.KERNEL32(00000000,?), ref: 00ED96B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0101A4DC,00000000,76A923A0,-01056880), ref: 00ED96C9

Strings

4oST, xrefs: 00ED962C
Ws2_32.dll, xrefs: 00ED969A
4oST, xrefs: 00ED9660

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 2819740048-1839276265
Opcode ID: 2fc832f71983803c1597ec99cdc80afd3677883d924af9eaca6477891b20dd51
Instruction ID: c00b02764ee0d9cb96d8d50463cf236962bcc9d733b9e31f1c4b11f8cf2b7e13
Opcode Fuzzy Hash: 2fc832f71983803c1597ec99cdc80afd3677883d924af9eaca6477891b20dd51
Instruction Fuzzy Hash: 3A02CA70E04288DFDF25CFA4CC907ADBBB0EF55314F24428AE4897B686D7741986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F18DEF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F18CD6,00000000,?,01047178,0000000C,00F18D92,?,?,?), ref: 00F18E45
GetLastError.KERNEL32(?,00F18CD6,00000000,?,01047178,0000000C,00F18D92,?,?,?), ref: 00F18E4F

Strings

P_~, xrefs: 00F18E09

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID: P_~
API String ID: 1687624791-425978370
Opcode ID: 101f13fc55416583588492c7f093d342f4cef8cf76a55bb91e4d4b4b521208e5
Instruction ID: 5a9d035aee1f638bb5dd8549b51c6e42aeaca5887d08a464496c7f28bb4eb8eb
Opcode Fuzzy Hash: 101f13fc55416583588492c7f093d342f4cef8cf76a55bb91e4d4b4b521208e5
Instruction Fuzzy Hash: 6B110C33F041145AD73526B45E45BEE37498B827B4F29065DFD14971C2DF2A9CC2A390

Uniqueness

Uniqueness Score: -1.00%

Function 00F19779 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F18E8F: GetConsoleOutputCP.KERNEL32(20A5FAC5,00000000,00000000,?), ref: 00F18EF2

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F198FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F19908

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: a736ad410096c7d8c148a8f4fee489fab0a6424d52412cbf16ff1d4bb9145126
Instruction ID: 11ad37bc09ebfc4ef843081fde40d1adbb0840a4fd1834d1c3e73c2e45e1db2d
Opcode Fuzzy Hash: a736ad410096c7d8c148a8f4fee489fab0a6424d52412cbf16ff1d4bb9145126
Instruction Fuzzy Hash: EC61D772D08109AFDF11CFA8CC54AEEBFB9AF09324F540149E900A7246D7B6D981EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1250C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00F12616,?,?,?,?,?), ref: 00F12548
GetLastError.KERNEL32(?,?,?,?,00F12616,?,?,?,?,?,00000000,?,00000000), ref: 00F12555

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: c1a0e914533cbc966826e82253559f34e8c2e50a54baea17ca8e78d7fc351676
Instruction ID: 407e71170334591e41142adc7349e33f424622507591fbb80fb4aae04bacbd84
Opcode Fuzzy Hash: c1a0e914533cbc966826e82253559f34e8c2e50a54baea17ca8e78d7fc351676
Instruction Fuzzy Hash: 2201D633A10115AFCF158F99DC959DE3F2AEB85330B280208F8119B291EA76ED91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED32D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00ED331F

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: 211cd79f7811f6e27f274889e89f75c2ec154982147514a45b85b482f2ad571e
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: D6F024321001049BCB146F74D9158E9B3E8EF243A1710093BE89CE7392EB2ADA529781

Uniqueness

Uniqueness Score: -1.00%

Function 00F1A64C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001), ref: 00F1A68D

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 49d3068747d3414ebef74c10cc64a00f7e67ace3a6d440b451d5f6f106f1df09
Instruction ID: afcb2587f01a3efd73c6f10dbb9e1f0333317dc83463465c310e65931464a0a4
Opcode Fuzzy Hash: 49d3068747d3414ebef74c10cc64a00f7e67ace3a6d440b451d5f6f106f1df09
Instruction Fuzzy Hash: DAF0E937A026216F9B325E629C05BDB3748AF41770B1D4111F808DB190DE39DC80B6E2

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B086 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00F1B0B8

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd077b5b0217d9e91daf39d34ee34c3aa6702ff7cf1baa4aa5a9caad7227e7be
Instruction ID: 4f36a11fa896d002bfbf2c9827f2a7ad140a570b3dbcb770fd812caa962c7e0f
Opcode Fuzzy Hash: cd077b5b0217d9e91daf39d34ee34c3aa6702ff7cf1baa4aa5a9caad7227e7be
Instruction Fuzzy Hash: 8DE03032601611EAEA312A759C047DB3649AF457B0B150161FE65970C1DF298CC0B2E1

Uniqueness

Uniqueness Score: -1.00%

Function 011CEB8C Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 011CEBB7

Memory Dump Source

Source File: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmp, Offset: 01077000, based on PE: true

Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4047af8941ca93394774f1f7c66d6b6e33ffd6915764e1227402051d9074d677
Instruction ID: fc7b595d79e10628012d624b7ea43d260e4e4a5437d3d4e2d03403be97166e43
Opcode Fuzzy Hash: 4047af8941ca93394774f1f7c66d6b6e33ffd6915764e1227402051d9074d677
Instruction Fuzzy Hash: E9E0E2B6310208ABDF24CE8CD889BAB379DEB98A11F108415FA0AD7209C234E8508775

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F9C630 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 00F9C6A1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00F9C6BD
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F9C6F2
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 00F9C71B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 00F9C8BF
WriteProcessMemory.KERNEL32(?,00000218,00F9C990,-00000010,00000000), ref: 00F9C8E1
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 00F9C8F4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00F9C8FD

Strings

4oST, xrefs: 00F9C7D2
131, xrefs: 00F9C883, 00F9C893
|, xrefs: 00F9C80E, 00F9C827
%s|%s, xrefs: 00F9C89F

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: |$%s|%s$131$4oST
API String ID: 2137838514-3610217710
Opcode ID: 861dfe84e5a2469447c112ee7da6f8290a1ef8b59b62192f7aaf1d746a0320df
Instruction ID: 5b861f30042639bc8c30da544ac5cf4529b05617526bbe125ad9cecc75398c55
Opcode Fuzzy Hash: 861dfe84e5a2469447c112ee7da6f8290a1ef8b59b62192f7aaf1d746a0320df
Instruction Fuzzy Hash: 6DB18BB0D00208DFDB24CFA8CC85BAEBBB5FF48300F104259E549AB285D775A945DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F232E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00F235F3,?,?), ref: 00F2337A
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00F235F3,?,?), ref: 00F233A3
GetACP.KERNEL32(?,?,00F235F3,?,?), ref: 00F233B8

Strings

ACP, xrefs: 00F232FF
OCP, xrefs: 00F23335

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 82a74d017eaf5cc65b39651922fb16b592f111ab93bea56e51182788fd2304ca
Instruction ID: abe0171176a089999ff17370d760a9f4ed9c8068b1b0c2a23e17862ed5f3ba2a
Opcode Fuzzy Hash: 82a74d017eaf5cc65b39651922fb16b592f111ab93bea56e51182788fd2304ca
Instruction Fuzzy Hash: 962195B2A00125EAD734CF19E905B9A73A6BB50B60B568464E945D7104EF3ADF40E350

Uniqueness

Uniqueness Score: -1.00%

Function 00F234BD Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F19E32: GetLastError.KERNEL32(00000000,?,00F1F819), ref: 00F19E36
Part of subcall function 00F19E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 00F19ED8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00F235C5
IsValidCodePage.KERNEL32(?), ref: 00F23603
IsValidLocale.KERNEL32(?,00000001), ref: 00F23616
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00F2365E
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00F23679

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 592856bc77bf46aaa8e97d1dd4a018bda346aa48a382079a159b49215a162029
Instruction ID: 69d2f6936431864b97926680b6b1ab4d4b2e8c8026d2dcf317bd00300415d3c7
Opcode Fuzzy Hash: 592856bc77bf46aaa8e97d1dd4a018bda346aa48a382079a159b49215a162029
Instruction Fuzzy Hash: 7F5162B1E00226ABDB20DFA5EC46EBA77B8AF08710F180469E504E7140DB79DB44AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F22B48 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F19E32: GetLastError.KERNEL32(00000000,?,00F1F819), ref: 00F19E36
Part of subcall function 00F19E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 00F19ED8

GetACP.KERNEL32(?,?,?,?,?,?,00F172F0,?,?,?,?,?,-00000050,?,?,?), ref: 00F22C07
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00F172F0,?,?,?,?,?,-00000050,?,?), ref: 00F22C3E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00F22DA1

Strings

utf8, xrefs: 00F22D10

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 2c407024d4af695ea9e6f10c907f0e1b455eb99f04ba3f96162332132f6fb1f7
Instruction ID: 0b84c8fda85aaa1207f92cd817fb120d2bb13be7ed772373492de91cb7bc9fe9
Opcode Fuzzy Hash: 2c407024d4af695ea9e6f10c907f0e1b455eb99f04ba3f96162332132f6fb1f7
Instruction Fuzzy Hash: 44711C35A00326BADB74AF74EC82FBA73A8EF44720F544429F945D7181EB78E940E760

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 965086ac0b38eed6816fbb937855bed4742130407901d10d9f4492370dff099b
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: CD023C71E012199BDF14CFA9D9806AEFBF1FF48324F248269D919E7381D731A941EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F279D3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 00F279EC

Strings

pow, xrefs: 00F27A8A, 00F27B34, 00F27B81
log10, xrefs: 00F27A2E, 00F27A3D
exp, xrefs: 00F27A6B, 00F27AD0
sqrt, xrefs: 00F27B2B
asin, xrefs: 00F27B19
acos, xrefs: 00F27B22
`-, xrefs: 00F27AB6, 00F27B60, 00F27BA6
log, xrefs: 00F27A49, 00F27A58

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: DecodePointer
String ID: `-$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3258016019
Opcode ID: 5a862ee733c03b4010c3982e89660a5e0798c18e3d394bcc389eadaa6c7573e5
Instruction ID: 6f722c76beedb477189669f4bc2885495fb00a2fe7510cc17da0cff0f048cdf9
Opcode Fuzzy Hash: 5a862ee733c03b4010c3982e89660a5e0798c18e3d394bcc389eadaa6c7573e5
Instruction Fuzzy Hash: 0A51B071D0872ACBCF14BF68F8482ADBBB0FB85320F544184D481A7268CB798A65AF55

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EEA09D
std::_Lockit::_Lockit.LIBCPMT ref: 00EEA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEA0E7
__Getctype.LIBCPMT ref: 00EEA1C5
std::_Facet_Register.LIBCPMT ref: 00EEA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEA223

Strings

PG, xrefs: 00EEA1BF
E, xrefs: 00EEA1AE
PD, xrefs: 00EEA19A

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD$PG$E
API String ID: 1102183713-3756609794
Opcode ID: 9c2df188ab95fe905e8478ea0bcac27bc05840f87d17991198edfb1d1c3545a5
Instruction ID: deacb9ea31fb4b4d0c4d80f0ca52f41c151ccdbb139181dbd23e1733bd06b164
Opcode Fuzzy Hash: 9c2df188ab95fe905e8478ea0bcac27bc05840f87d17991198edfb1d1c3545a5
Instruction Fuzzy Hash: 29519BB0D01349DBCB21CF58C9457AEBBB4BB14314F18816DD885AB381D779AE44DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F072C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F072F7
___except_validate_context_record.LIBVCRUNTIME ref: 00F072FF
_ValidateLocalCookies.LIBCMT ref: 00F07388
__IsNonwritableInCurrentImage.LIBCMT ref: 00F073B3
_ValidateLocalCookies.LIBCMT ref: 00F07408

Strings

csm, xrefs: 00F0739D
`-, xrefs: 00F073CC

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-$csm
API String ID: 1170836740-3034041616
Opcode ID: 1674b9b339ccec35e5dfa253cd5e11a6545cc6ec2ecdbe389fe01fc7b4baf0e5
Instruction ID: 13a367bd49ec94ec1951c238fc14eb3a30a9df9c450c99411aa1e5c9522df07e
Opcode Fuzzy Hash: 1674b9b339ccec35e5dfa253cd5e11a6545cc6ec2ecdbe389fe01fc7b4baf0e5
Instruction Fuzzy Hash: 4541A334E04309DBCF20EF68CC85A9EBBA5AF44324F148195EC189B392D775E915FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EEC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EEC45A
std::_Lockit::_Lockit.LIBCPMT ref: 00EEC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEC4A4
std::_Facet_Register.LIBCPMT ref: 00EEC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEC5C4

Strings

E, xrefs: 00EEC562
PD, xrefs: 00EEC54E

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E$PD
API String ID: 459529453-4195941332
Opcode ID: 98f2a2c7fbb4d011e879129468f07a2768d533663204f8835094bd7f025ac2e5
Instruction ID: 442b3aad8534b6fe10fdb1ab922b330f06c10957af4453e6269a3eab4c7b1fbc
Opcode Fuzzy Hash: 98f2a2c7fbb4d011e879129468f07a2768d533663204f8835094bd7f025ac2e5
Instruction Fuzzy Hash: 6D5193B0900299DFDB21DF98C954BAEBBF0FB00314F248159E4556B381D77AAA06DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F1BBDE

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 8292fd284351b9f5d5e1086bc22a14787f10cc715afcb5b2d426583c4b6c667e
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: 98B14632E00365DFDB258F24CC82BEEBBA5EF59360F144155E904AF282D774D981E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00F1B47F,?,?,00000000,00000001,?,?,00F1B6A9,00000022,FlsSetValue,0102EB88,0102EB90,00000001), ref: 00F1B431

Strings

api-ms-, xrefs: 00F1B3C7
ext-ms-, xrefs: 00F1B3DB

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 06bb89a81a6c1e979f2647cce99ef22564dc967ab0f0d7e88c0554fce6907eab
Instruction ID: 4d1a72a608376819229a9a5759beee0f76497438d3c627c42544506fe3b8aab3
Opcode Fuzzy Hash: 06bb89a81a6c1e979f2647cce99ef22564dc967ab0f0d7e88c0554fce6907eab
Instruction Fuzzy Hash: BD21D232E41221EBCB31DF65DC41ADB3758DB41770F244224E855A7286DB35ED90E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F13623 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,20A5FAC5,?,?,00000000,0101E6D5,000000FF,?,00F135FF,?,?,00F135D3,00000016), ref: 00F13658
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F1366A
FreeLibrary.KERNEL32(00000000,?,00000000,0101E6D5,000000FF,?,00F135FF,?,?,00F135D3,00000016), ref: 00F1368C

Strings

CorExitProcess, xrefs: 00F13662
`-, xrefs: 00F1367B
mscoree.dll, xrefs: 00F13651

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-$mscoree.dll
API String ID: 4061214504-1261224117
Opcode ID: 17d530b21b348772e8e68526ae3a2405fc4fcf4dbaeb4836c140ce7510d07034
Instruction ID: dbd225b1bebb7d3e8372a11e60a64b3363f0d2961e77b92a066493a44535c0f1
Opcode Fuzzy Hash: 17d530b21b348772e8e68526ae3a2405fc4fcf4dbaeb4836c140ce7510d07034
Instruction Fuzzy Hash: 0401DB31A44729FFCB218F55DC09FAEB7B8FB04B64F104529F851A2694DBB99E00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F952A0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

191.96.150.225, xrefs: 00F95328
4oST, xrefs: 00F95451
4oST, xrefs: 00F9552A
4oST, xrefs: 00F955B5

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID:
String ID: 191.96.150.225$4oST$4oST$4oST
API String ID: 0-2793144940
Opcode ID: d78431c4f173b46f3c3ba5b787b69808896c4e00d65c1ac2ec14d1bb3b853307
Instruction ID: e7027a46aa1f5d3a43d52d64bf40110e3e820eaac5e416926e4f903c8553f4e3
Opcode Fuzzy Hash: d78431c4f173b46f3c3ba5b787b69808896c4e00d65c1ac2ec14d1bb3b853307
Instruction Fuzzy Hash: 6002F170D04288DEEF15DFA8C9457DEBBB0AB14304F648099E8457B382D7B55E88DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F02719 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F02720
std::_Lockit::_Lockit.LIBCPMT ref: 00F0272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F02799

Part of subcall function 00F0287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F02894

std::locale::_Setgloballocale.LIBCPMT ref: 00F02746

Strings

`-, xrefs: 00F02768, 00F0278C

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-
API String ID: 677527491-2038111592
Opcode ID: a9150a04b1540db7bbfa24661fca4c91e4e8d09dbbfefc9513da4f47a721a7ea
Instruction ID: d0126d4e08999580690f8b9970cf09734ba60641ebbe245d06c2a1c6c5183f4d
Opcode Fuzzy Hash: a9150a04b1540db7bbfa24661fca4c91e4e8d09dbbfefc9513da4f47a721a7ea
Instruction Fuzzy Hash: 2D01BC79A00221DBC71AEB20D84957E77A5FF84750B18804AE845573C6CFBCAA02FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F02BB8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F02BCC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02BEB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02C19
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02C74
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02C8B

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: bda4bc55ecc271cce9c22c3261cd455c453a1c79d1bfb27d879d50a840e6589e
Instruction ID: 26fff1fa150eda82dfa4a96f56ed89eaee9e107b56dd628967e1ce3d7393b778
Opcode Fuzzy Hash: bda4bc55ecc271cce9c22c3261cd455c453a1c79d1bfb27d879d50a840e6589e
Instruction Fuzzy Hash: 66413C31A0060ADBEB61CF69C58896EB3B8FF09370B608929D446D7680D735E984FB71

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00ED750C
___std_exception_destroy.LIBVCRUNTIME ref: 00ED7522

Strings

[json.exception., xrefs: 00ED73A1
), xrefs: 00ED7502, 00ED751C

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )$[json.exception.
API String ID: 4194217158-1768919221
Opcode ID: bc67657c03e45bef553fa49a0b1686069d411c669a4a5ff101fa639903057645
Instruction ID: 9544c63f198ff8ddb406a4da1cfffb7d29a0c210cb79a55dc377874d00996986
Opcode Fuzzy Hash: bc67657c03e45bef553fa49a0b1686069d411c669a4a5ff101fa639903057645
Instruction Fuzzy Hash: 6A51DFB1D04688DFDB00DFA8C905B9EBBF4EF51314F14426DE850AB382E7B85A44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00ED499F

Part of subcall function 00F051EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00F01CF9,?,010469D8,76A923A0,?,76A923A0,-01056880), ref: 00F0524B

Strings

ios_base::badbit set, xrefs: 00ED4937, 00ED4962
ios_base::failbit set, xrefs: 00ED4828, 00ED4941
ios_base::eofbit set, xrefs: 00ED4946

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 70392d6e5e0c9c9ad2c6c52a4f1463cdb4ec05ad5c66c235a1f7da3a7e39e9d1
Instruction ID: 90caeb077ad6baf0ab23b9a98f579622d2de92f28fb51d477fa6cbc31d59b16f
Opcode Fuzzy Hash: 70392d6e5e0c9c9ad2c6c52a4f1463cdb4ec05ad5c66c235a1f7da3a7e39e9d1
Instruction Fuzzy Hash: EF1159B29046446BCB10DF5DCC02B96739CE744710F04461AF998A73C1EB35A901D792

Uniqueness

Uniqueness Score: -1.00%

Function 00F18E8F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(20A5FAC5,00000000,00000000,?), ref: 00F18EF2

Part of subcall function 00F1EC43: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F1A854,?,00000000,-00000008), ref: 00F1ECA4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F19144
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F1918A
GetLastError.KERNEL32 ref: 00F1922D

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e932309d9084d4854d4d9455985d1f467b889794c82efe5f262fa3ab53693b85
Instruction ID: 20b43516eaff8c362dd043f5227dfc3649131f47e9b07f3ba657bd2270b53b90
Opcode Fuzzy Hash: e932309d9084d4854d4d9455985d1f467b889794c82efe5f262fa3ab53693b85
Instruction Fuzzy Hash: 53D19E75D04248AFCF15CFA8C894AEDBBB5FF09310F24456AE45AEB341D770A982DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F26D22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000), ref: 00F26D39
GetLastError.KERNEL32(?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000,?,?,?,00F1985B,?), ref: 00F26D45

Part of subcall function 00F26D0B: CloseHandle.KERNEL32(FFFFFFFE,00F26D55,?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000,?,?), ref: 00F26D1B

___initconout.LIBCMT ref: 00F26D55

Part of subcall function 00F26CCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F26CFC,00F23DA9,?,?,00F19281,?,00000000,00000000,?), ref: 00F26CE0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000,?), ref: 00F26D6A

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a0f206abd5ceafdc87b7dc2b229ca4b9420c3302b91b56fe9b638eb50be51c6a
Instruction ID: 3a82a8ffe762f2f7baecbf4788d4fbf284e58c6e0228861067fa4e0c52f170e9
Opcode Fuzzy Hash: a0f206abd5ceafdc87b7dc2b229ca4b9420c3302b91b56fe9b638eb50be51c6a
Instruction Fuzzy Hash: 80F01C36640128FBCF332F91EC09A8A3F66EF083B1B104410FA4886520DA3B8C20EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00ED3819
___std_exception_destroy.LIBVCRUNTIME ref: 00ED38F0

Strings

), xrefs: 00ED37ED, 00ED38EA

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )
API String ID: 2970364248-2934624886
Opcode ID: 690992b9fb7fc030c413dd110f1592885bfeed35f2f022f262cd3408bb90ecc9
Instruction ID: a645ee4dc1952db3092bcdd9601d6ca00439c0f5d8580dc55351a859b45b2cd5
Opcode Fuzzy Hash: 690992b9fb7fc030c413dd110f1592885bfeed35f2f022f262cd3408bb90ecc9
Instruction Fuzzy Hash: 9B6189B1C00258DFDB14CF98C844B9EFBB4FF18324F14825AE854AB682D7B95A44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00ED499F

Part of subcall function 00F051EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00F01CF9,?,010469D8,76A923A0,?,76A923A0,-01056880), ref: 00F0524B

Strings

ios_base::badbit set, xrefs: 00ED4937, 00ED4962
ios_base::failbit set, xrefs: 00ED4828

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: b30f2f758f312465200f7dfc3edf6df6abfd946130e97f4d5d38bf436c9a2dee
Instruction ID: f1016421078fa87aebf298ce0fc182b9d53d5c1721b6ae68ffea73f2932dbdc4
Opcode Fuzzy Hash: b30f2f758f312465200f7dfc3edf6df6abfd946130e97f4d5d38bf436c9a2dee
Instruction Fuzzy Hash: E04101B1900248AFCB04DF58CC46BAEBBF8EB45710F14825EF454AB3C1DB759A01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00ED4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ED40C4

Strings

bad locale name, xrefs: 00ED40E6

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: a4323d80c2f3f878d8607007f3c8d0273f474ab8a97b616f079a961b875ad446
Instruction ID: 03393dcda8d14f95586f437f9f0c73e478f8acca2f641cbce3370ee6c7b4e0c3
Opcode Fuzzy Hash: a4323d80c2f3f878d8607007f3c8d0273f474ab8a97b616f079a961b875ad446
Instruction Fuzzy Hash: 3511D370805B84DED321CF68C90474BFFF4AF15714F14869DD09597B81D3B99A04D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00EE65C9
___std_exception_copy.LIBVCRUNTIME ref: 00EE65FC

Strings

), xrefs: 00EE65BA, 00EE65ED

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )
API String ID: 2659868963-2934624886
Opcode ID: 814757037e5f316fe91600d1ef4577688e506ef0c6d66e8de91419e7252f90d5
Instruction ID: c3297941a8f8a9d42346c601b1068b77b4a50fdfc63bfab80b5ecac96ef49866
Opcode Fuzzy Hash: 814757037e5f316fe91600d1ef4577688e506ef0c6d66e8de91419e7252f90d5
Instruction Fuzzy Hash: B51130B5900758EFCB15CF99C980B86FBF8FF49720F10876AE9549BA41E774A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00ED7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00ED7A72

Strings

), xrefs: 00ED7A52, 00ED7A6C

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )
API String ID: 4194217158-2934624886
Opcode ID: 1f99f551c34034b1f3218ab23cae7dfd7684354d85880b8ee9bf81f168cb77f8
Instruction ID: 367f46a82ea203d57119bbff54ca0261c53fa8e0e00526900dcad18e8e68e5f4
Opcode Fuzzy Hash: 1f99f551c34034b1f3218ab23cae7dfd7684354d85880b8ee9bf81f168cb77f8
Instruction Fuzzy Hash: 97F06DB1805758EFC710DF98C90178DBBF8EB05B24F50066AE864A3780D77966048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0360D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00F03067,?,?,?,?,00F951DF), ref: 00F03645
GetSystemTimeAsFileTime.KERNEL32(?,20A5FAC5,00000000,?,0101E6F2,000000FF,?,00F03067,?,?,?,?,00F951DF), ref: 00F03649

Strings

`-, xrefs: 00F0363F

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-
API String ID: 743729956-2038111592
Opcode ID: e408632424cae917eb82a7aaa64d2c77d78a76ca8d5cccae0efe7ceba3780cb6
Instruction ID: dd412f006dbc54d6c2dd8197b1f0f2c4cf77b5851c1838746c249d93f524b7b9
Opcode Fuzzy Hash: e408632424cae917eb82a7aaa64d2c77d78a76ca8d5cccae0efe7ceba3780cb6
Instruction Fuzzy Hash: BCF0E532A04664EFC7228F54E800F5EB7A8FB08F60F10412AE812D7784CB7AA900DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B7E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,00F089C2,00000001,00000016,00F08BD1,?,?,?,?,?,00000000), ref: 00F1B826

Strings

InitializeCriticalSectionEx, xrefs: 00F1B7F6
`-, xrefs: 00F1B816

Memory Dump Source

Source File: 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000006.00000002.3550601085.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3550635218.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551098666.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3551206124.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ed0000_MPGPH131.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-
API String ID: 2593887523-2357131798
Opcode ID: 4bac6ec2d35737975f50f0c4d152465a7e01afdb46711eb89938686d23307b29
Instruction ID: 75df097798edd60650b3bbbc97edb11a6f3aff24193b1abb626c6bbced84df7f
Opcode Fuzzy Hash: 4bac6ec2d35737975f50f0c4d152465a7e01afdb46711eb89938686d23307b29
Instruction Fuzzy Hash: 25E09232681228FBCB312E51DC05EEE7F16EF08B70F008024F9195A521CBB65862FBD0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: MPGPH131.exePID: 6552, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1915
Total number of Limit Nodes:	34

Executed Functions

Function 00F94EB0 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003A8,0000FFFF,00001006,?,00000008), ref: 00F94F56
recv.WS2_32(?,00000004,00000002), ref: 00F94F71
WSAGetLastError.WS2_32 ref: 00F94F75
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00F94FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00F95014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 00F950B0
recv.WS2_32(00000000,?,00000008), ref: 00F950CB

Part of subcall function 00F95940: WSAStartup.WS2_32 ref: 00F9596A
Part of subcall function 00F95940: getaddrinfo.WS2_32(?,?,?,01056328), ref: 00F959EC
Part of subcall function 00F95940: socket.WS2_32(?,?,?), ref: 00F95A0D
Part of subcall function 00F95940: connect.WS2_32(00000000,01026B31,?), ref: 00F95A21
Part of subcall function 00F95940: closesocket.WS2_32(00000000), ref: 00F95A2D
Part of subcall function 00F95940: FreeAddrInfoW.WS2_32(?), ref: 00F95A3A
Part of subcall function 00F95940: WSACleanup.WS2_32 ref: 00F95A40

recv.WS2_32(?,00000004,00000008), ref: 00F951D3
__Xtime_get_ticks.LIBCPMT ref: 00F951DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F951E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00F95261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00F95269

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID:
API String ID: 3089209366-0
Opcode ID: fad7286ff40069ccb4a10a7126c5e984344ef0d3dc4316e0999fe464bcf3cf48
Instruction ID: 6ee0878d08dfe24425b2504b10445b220ab5b62cd90539330f0ff5e9f0438d5b
Opcode Fuzzy Hash: fad7286ff40069ccb4a10a7126c5e984344ef0d3dc4316e0999fe464bcf3cf48
Instruction Fuzzy Hash: C8B18CB1D00308DFEF25DFA4CC49BAEBBB5BB45710F204219E494AB2D2D77A5984DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00F95940 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00F9596A
getaddrinfo.WS2_32(?,?,?,01056328), ref: 00F959EC
socket.WS2_32(?,?,?), ref: 00F95A0D
connect.WS2_32(00000000,01026B31,?), ref: 00F95A21
closesocket.WS2_32(00000000), ref: 00F95A2D
FreeAddrInfoW.WS2_32(?), ref: 00F95A3A
WSACleanup.WS2_32 ref: 00F95A40
FreeAddrInfoW.WS2_32(?), ref: 00F95A55

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: 3f92dbbb1762c88d0249a46ef7e13eec5947024b36e0c5caa2ef293fc3734f8f
Instruction ID: 1b6d2f59a97e5231b2a506efa6c9ed691a97c5919bb6ee67363efa3fecd4bcea
Opcode Fuzzy Hash: 3f92dbbb1762c88d0249a46ef7e13eec5947024b36e0c5caa2ef293fc3734f8f
Instruction Fuzzy Hash: DA31F272A04700AFE7319F64DC84A6BBBE4FB85B34F20471DF8A593190D77998049B96

Uniqueness

Uniqueness Score: -1.00%

Function 00ED9280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0101A4DC,00000000,76A923A0,-01056880), ref: 00ED96A6
GetProcAddress.KERNEL32(00000000,?), ref: 00ED96B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0101A4DC,00000000,76A923A0,-01056880), ref: 00ED96C9

Strings

4oST, xrefs: 00ED962C
Ws2_32.dll, xrefs: 00ED969A
4oST, xrefs: 00ED9660

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 2819740048-1839276265
Opcode ID: 2fc832f71983803c1597ec99cdc80afd3677883d924af9eaca6477891b20dd51
Instruction ID: c00b02764ee0d9cb96d8d50463cf236962bcc9d733b9e31f1c4b11f8cf2b7e13
Opcode Fuzzy Hash: 2fc832f71983803c1597ec99cdc80afd3677883d924af9eaca6477891b20dd51
Instruction Fuzzy Hash: 3A02CA70E04288DFDF25CFA4CC907ADBBB0EF55314F24428AE4897B686D7741986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00F19779 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F18E8F: GetConsoleOutputCP.KERNEL32(200B473F,00000000,00000000,?), ref: 00F18EF2

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F198FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F19908

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: a736ad410096c7d8c148a8f4fee489fab0a6424d52412cbf16ff1d4bb9145126
Instruction ID: 11ad37bc09ebfc4ef843081fde40d1adbb0840a4fd1834d1c3e73c2e45e1db2d
Opcode Fuzzy Hash: a736ad410096c7d8c148a8f4fee489fab0a6424d52412cbf16ff1d4bb9145126
Instruction Fuzzy Hash: EC61D772D08109AFDF11CFA8CC54AEEBFB9AF09324F540149E900A7246D7B6D981EBD0

Uniqueness

Uniqueness Score: -1.00%

Function 00F18DEF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F18CD6,00000000,?,01047178,0000000C,00F18D92,?,?,?), ref: 00F18E45
GetLastError.KERNEL32(?,00F18CD6,00000000,?,01047178,0000000C,00F18D92,?,?,?), ref: 00F18E4F

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: 101f13fc55416583588492c7f093d342f4cef8cf76a55bb91e4d4b4b521208e5
Instruction ID: 5a9d035aee1f638bb5dd8549b51c6e42aeaca5887d08a464496c7f28bb4eb8eb
Opcode Fuzzy Hash: 101f13fc55416583588492c7f093d342f4cef8cf76a55bb91e4d4b4b521208e5
Instruction Fuzzy Hash: 6B110C33F041145AD73526B45E45BEE37498B827B4F29065DFD14971C2DF2A9CC2A390

Uniqueness

Uniqueness Score: -1.00%

Function 00F1250C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00F12616,?,?,?,?,?), ref: 00F12548
GetLastError.KERNEL32(?,?,?,?,00F12616,?,?,?,?,?,00000000,?,00000000), ref: 00F12555

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: c1a0e914533cbc966826e82253559f34e8c2e50a54baea17ca8e78d7fc351676
Instruction ID: 407e71170334591e41142adc7349e33f424622507591fbb80fb4aae04bacbd84
Opcode Fuzzy Hash: c1a0e914533cbc966826e82253559f34e8c2e50a54baea17ca8e78d7fc351676
Instruction Fuzzy Hash: 2201D633A10115AFCF158F99DC959DE3F2AEB85330B280208F8119B291EA76ED91DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00ED32D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00ED331F

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: 211cd79f7811f6e27f274889e89f75c2ec154982147514a45b85b482f2ad571e
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: D6F024321001049BCB146F74D9158E9B3E8EF243A1710093BE89CE7392EB2ADA529781

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B086 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 00F1B0B8

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cd077b5b0217d9e91daf39d34ee34c3aa6702ff7cf1baa4aa5a9caad7227e7be
Instruction ID: 4f36a11fa896d002bfbf2c9827f2a7ad140a570b3dbcb770fd812caa962c7e0f
Opcode Fuzzy Hash: cd077b5b0217d9e91daf39d34ee34c3aa6702ff7cf1baa4aa5a9caad7227e7be
Instruction Fuzzy Hash: 8DE03032601611EAEA312A759C047DB3649AF457B0B150161FE65970C1DF298CC0B2E1

Uniqueness

Uniqueness Score: -1.00%

Function 011CEB8C Relevance: 1.3, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 011CEBB7

Memory Dump Source

Source File: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmp, Offset: 01077000, based on PE: true

Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4047af8941ca93394774f1f7c66d6b6e33ffd6915764e1227402051d9074d677
Instruction ID: fc7b595d79e10628012d624b7ea43d260e4e4a5437d3d4e2d03403be97166e43
Opcode Fuzzy Hash: 4047af8941ca93394774f1f7c66d6b6e33ffd6915764e1227402051d9074d677
Instruction Fuzzy Hash: E9E0E2B6310208ABDF24CE8CD889BAB379DEB98A11F108415FA0AD7209C234E8508775

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00F9C630 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 00F9C6A1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 00F9C6BD
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 00F9C6F2
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 00F9C71B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 00F9C8BF
WriteProcessMemory.KERNEL32(?,00000218,00F9C990,-00000010,00000000), ref: 00F9C8E1
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 00F9C8F4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00F9C8FD

Strings

%s|%s, xrefs: 00F9C89F
4oST, xrefs: 00F9C7D2
131, xrefs: 00F9C883, 00F9C893

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131$4oST
API String ID: 2137838514-1634972829
Opcode ID: 861dfe84e5a2469447c112ee7da6f8290a1ef8b59b62192f7aaf1d746a0320df
Instruction ID: 5b861f30042639bc8c30da544ac5cf4529b05617526bbe125ad9cecc75398c55
Opcode Fuzzy Hash: 861dfe84e5a2469447c112ee7da6f8290a1ef8b59b62192f7aaf1d746a0320df
Instruction Fuzzy Hash: 6DB18BB0D00208DFDB24CFA8CC85BAEBBB5FF48300F104259E549AB285D775A945DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F232E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,00F235F3,?,?), ref: 00F2337A
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,00F235F3,?,?), ref: 00F233A3
GetACP.KERNEL32(?,?,00F235F3,?,?), ref: 00F233B8

Strings

ACP, xrefs: 00F232FF
OCP, xrefs: 00F23335

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 82a74d017eaf5cc65b39651922fb16b592f111ab93bea56e51182788fd2304ca
Instruction ID: abe0171176a089999ff17370d760a9f4ed9c8068b1b0c2a23e17862ed5f3ba2a
Opcode Fuzzy Hash: 82a74d017eaf5cc65b39651922fb16b592f111ab93bea56e51182788fd2304ca
Instruction Fuzzy Hash: 962195B2A00125EAD734CF19E905B9A73A6BB50B60B568464E945D7104EF3ADF40E350

Uniqueness

Uniqueness Score: -1.00%

Function 00F234BD Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F19E32: GetLastError.KERNEL32(00000000,?,00F1F819), ref: 00F19E36
Part of subcall function 00F19E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 00F19ED8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00F235C5
IsValidCodePage.KERNEL32(?), ref: 00F23603
IsValidLocale.KERNEL32(?,00000001), ref: 00F23616
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00F2365E
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00F23679

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 592856bc77bf46aaa8e97d1dd4a018bda346aa48a382079a159b49215a162029
Instruction ID: 69d2f6936431864b97926680b6b1ab4d4b2e8c8026d2dcf317bd00300415d3c7
Opcode Fuzzy Hash: 592856bc77bf46aaa8e97d1dd4a018bda346aa48a382079a159b49215a162029
Instruction Fuzzy Hash: 7F5162B1E00226ABDB20DFA5EC46EBA77B8AF08710F180469E504E7140DB79DB44AB61

Uniqueness

Uniqueness Score: -1.00%

Function 00F22B48 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F19E32: GetLastError.KERNEL32(00000000,?,00F1F819), ref: 00F19E36
Part of subcall function 00F19E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 00F19ED8

GetACP.KERNEL32(?,?,?,?,?,?,00F172F0,?,?,?,?,?,-00000050,?,?,?), ref: 00F22C07
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00F172F0,?,?,?,?,?,-00000050,?,?), ref: 00F22C3E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00F22DA1

Strings

utf8, xrefs: 00F22D10

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 2c407024d4af695ea9e6f10c907f0e1b455eb99f04ba3f96162332132f6fb1f7
Instruction ID: 0b84c8fda85aaa1207f92cd817fb120d2bb13be7ed772373492de91cb7bc9fe9
Opcode Fuzzy Hash: 2c407024d4af695ea9e6f10c907f0e1b455eb99f04ba3f96162332132f6fb1f7
Instruction Fuzzy Hash: 44711C35A00326BADB74AF74EC82FBA73A8EF44720F544429F945D7181EB78E940E760

Uniqueness

Uniqueness Score: -1.00%

Function 00F0C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 965086ac0b38eed6816fbb937855bed4742130407901d10d9f4492370dff099b
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: CD023C71E012199BDF14CFA9D9806AEFBF1FF48324F248269D919E7381D731A941EB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F279D3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 00F279EC

Strings

exp, xrefs: 00F27A6B, 00F27AD0
`-, xrefs: 00F27AB6, 00F27B60, 00F27BA6
acos, xrefs: 00F27B22
sqrt, xrefs: 00F27B2B
log, xrefs: 00F27A49, 00F27A58
asin, xrefs: 00F27B19
log10, xrefs: 00F27A2E, 00F27A3D
pow, xrefs: 00F27A8A, 00F27B34, 00F27B81

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: DecodePointer
String ID: `-$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3258016019
Opcode ID: 5a862ee733c03b4010c3982e89660a5e0798c18e3d394bcc389eadaa6c7573e5
Instruction ID: 6f722c76beedb477189669f4bc2885495fb00a2fe7510cc17da0cff0f048cdf9
Opcode Fuzzy Hash: 5a862ee733c03b4010c3982e89660a5e0798c18e3d394bcc389eadaa6c7573e5
Instruction Fuzzy Hash: 0A51B071D0872ACBCF14BF68F8482ADBBB0FB85320F544184D481A7268CB798A65AF55

Uniqueness

Uniqueness Score: -1.00%

Function 00EEA060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EEA09D
std::_Lockit::_Lockit.LIBCPMT ref: 00EEA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEA0E7
__Getctype.LIBCPMT ref: 00EEA1C5
std::_Facet_Register.LIBCPMT ref: 00EEA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEA223

Strings

PG, xrefs: 00EEA1BF
E, xrefs: 00EEA1AE
PD, xrefs: 00EEA19A

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD$PG$E
API String ID: 1102183713-3756609794
Opcode ID: 9c2df188ab95fe905e8478ea0bcac27bc05840f87d17991198edfb1d1c3545a5
Instruction ID: deacb9ea31fb4b4d0c4d80f0ca52f41c151ccdbb139181dbd23e1733bd06b164
Opcode Fuzzy Hash: 9c2df188ab95fe905e8478ea0bcac27bc05840f87d17991198edfb1d1c3545a5
Instruction Fuzzy Hash: 29519BB0D01349DBCB21CF58C9457AEBBB4BB14314F18816DD885AB381D779AE44DBD2

Uniqueness

Uniqueness Score: -1.00%

Function 00F072C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F072F7
___except_validate_context_record.LIBVCRUNTIME ref: 00F072FF
_ValidateLocalCookies.LIBCMT ref: 00F07388
__IsNonwritableInCurrentImage.LIBCMT ref: 00F073B3
_ValidateLocalCookies.LIBCMT ref: 00F07408

Strings

`-, xrefs: 00F073CC
csm, xrefs: 00F0739D

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-$csm
API String ID: 1170836740-3034041616
Opcode ID: 1674b9b339ccec35e5dfa253cd5e11a6545cc6ec2ecdbe389fe01fc7b4baf0e5
Instruction ID: 13a367bd49ec94ec1951c238fc14eb3a30a9df9c450c99411aa1e5c9522df07e
Opcode Fuzzy Hash: 1674b9b339ccec35e5dfa253cd5e11a6545cc6ec2ecdbe389fe01fc7b4baf0e5
Instruction Fuzzy Hash: 4541A334E04309DBCF20EF68CC85A9EBBA5AF44324F148195EC189B392D775E915FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EEC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EEC45A
std::_Lockit::_Lockit.LIBCPMT ref: 00EEC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEC4A4
std::_Facet_Register.LIBCPMT ref: 00EEC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEC5C4

Strings

E, xrefs: 00EEC562
PD, xrefs: 00EEC54E

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E$PD
API String ID: 459529453-4195941332
Opcode ID: 98f2a2c7fbb4d011e879129468f07a2768d533663204f8835094bd7f025ac2e5
Instruction ID: 442b3aad8534b6fe10fdb1ab922b330f06c10957af4453e6269a3eab4c7b1fbc
Opcode Fuzzy Hash: 98f2a2c7fbb4d011e879129468f07a2768d533663204f8835094bd7f025ac2e5
Instruction Fuzzy Hash: 6D5193B0900299DFDB21DF98C954BAEBBF0FB00314F248159E4556B381D77AAA06DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00F1BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F1BBDE

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: 8292fd284351b9f5d5e1086bc22a14787f10cc715afcb5b2d426583c4b6c667e
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: 98B14632E00365DFDB258F24CC82BEEBBA5EF59360F144155E904AF282D774D981E7A0

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00F1B47F,?,?,00000000,00000001,?,?,00F1B6A9,00000022,FlsSetValue,0102EB88,0102EB90,00000001), ref: 00F1B431

Strings

api-ms-, xrefs: 00F1B3C7
ext-ms-, xrefs: 00F1B3DB

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 06bb89a81a6c1e979f2647cce99ef22564dc967ab0f0d7e88c0554fce6907eab
Instruction ID: 4d1a72a608376819229a9a5759beee0f76497438d3c627c42544506fe3b8aab3
Opcode Fuzzy Hash: 06bb89a81a6c1e979f2647cce99ef22564dc967ab0f0d7e88c0554fce6907eab
Instruction Fuzzy Hash: BD21D232E41221EBCB31DF65DC41ADB3758DB41770F244224E855A7286DB35ED90E7D0

Uniqueness

Uniqueness Score: -1.00%

Function 00F13623 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,200B473F,?,?,00000000,0101E6D5,000000FF,?,00F135FF,?,?,00F135D3,00000016), ref: 00F13658
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F1366A
FreeLibrary.KERNEL32(00000000,?,00000000,0101E6D5,000000FF,?,00F135FF,?,?,00F135D3,00000016), ref: 00F1368C

Strings

mscoree.dll, xrefs: 00F13651
`-, xrefs: 00F1367B
CorExitProcess, xrefs: 00F13662

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-$mscoree.dll
API String ID: 4061214504-1261224117
Opcode ID: 17d530b21b348772e8e68526ae3a2405fc4fcf4dbaeb4836c140ce7510d07034
Instruction ID: dbd225b1bebb7d3e8372a11e60a64b3363f0d2961e77b92a066493a44535c0f1
Opcode Fuzzy Hash: 17d530b21b348772e8e68526ae3a2405fc4fcf4dbaeb4836c140ce7510d07034
Instruction Fuzzy Hash: 0401DB31A44729FFCB218F55DC09FAEB7B8FB04B64F104529F851A2694DBB99E00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 00F952A0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

191.96.150.225, xrefs: 00F95328
4oST, xrefs: 00F9552A
4oST, xrefs: 00F955B5
4oST, xrefs: 00F95451

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID:
String ID: 191.96.150.225$4oST$4oST$4oST
API String ID: 0-2793144940
Opcode ID: d78431c4f173b46f3c3ba5b787b69808896c4e00d65c1ac2ec14d1bb3b853307
Instruction ID: e7027a46aa1f5d3a43d52d64bf40110e3e820eaac5e416926e4f903c8553f4e3
Opcode Fuzzy Hash: d78431c4f173b46f3c3ba5b787b69808896c4e00d65c1ac2ec14d1bb3b853307
Instruction Fuzzy Hash: 6002F170D04288DEEF15DFA8C9457DEBBB0AB14304F648099E8457B382D7B55E88DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F02719 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F02720
std::_Lockit::_Lockit.LIBCPMT ref: 00F0272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F02799

Part of subcall function 00F0287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F02894

std::locale::_Setgloballocale.LIBCPMT ref: 00F02746

Strings

`-, xrefs: 00F02768, 00F0278C

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-
API String ID: 677527491-2038111592
Opcode ID: a9150a04b1540db7bbfa24661fca4c91e4e8d09dbbfefc9513da4f47a721a7ea
Instruction ID: d0126d4e08999580690f8b9970cf09734ba60641ebbe245d06c2a1c6c5183f4d
Opcode Fuzzy Hash: a9150a04b1540db7bbfa24661fca4c91e4e8d09dbbfefc9513da4f47a721a7ea
Instruction Fuzzy Hash: 2D01BC79A00221DBC71AEB20D84957E77A5FF84750B18804AE845573C6CFBCAA02FB91

Uniqueness

Uniqueness Score: -1.00%

Function 00F02BB8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F02BCC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02BEB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02C19
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02C74
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00F02C8B

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: bda4bc55ecc271cce9c22c3261cd455c453a1c79d1bfb27d879d50a840e6589e
Instruction ID: 26fff1fa150eda82dfa4a96f56ed89eaee9e107b56dd628967e1ce3d7393b778
Opcode Fuzzy Hash: bda4bc55ecc271cce9c22c3261cd455c453a1c79d1bfb27d879d50a840e6589e
Instruction Fuzzy Hash: 66413C31A0060ADBEB61CF69C58896EB3B8FF09370B608929D446D7680D735E984FB71

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00ED750C
___std_exception_destroy.LIBVCRUNTIME ref: 00ED7522

Strings

[json.exception., xrefs: 00ED73A1
), xrefs: 00ED7502, 00ED751C

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )$[json.exception.
API String ID: 4194217158-1768919221
Opcode ID: bc67657c03e45bef553fa49a0b1686069d411c669a4a5ff101fa639903057645
Instruction ID: 9544c63f198ff8ddb406a4da1cfffb7d29a0c210cb79a55dc377874d00996986
Opcode Fuzzy Hash: bc67657c03e45bef553fa49a0b1686069d411c669a4a5ff101fa639903057645
Instruction Fuzzy Hash: 6A51DFB1D04688DFDB00DFA8C905B9EBBF4EF51314F14426DE850AB382E7B85A44D7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00ED499F

Part of subcall function 00F051EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00F01CF9,?,010469D8,76A923A0,?,76A923A0,-01056880), ref: 00F0524B

Strings

ios_base::failbit set, xrefs: 00ED4828, 00ED4941
ios_base::eofbit set, xrefs: 00ED4946
ios_base::badbit set, xrefs: 00ED4937, 00ED4962

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 70392d6e5e0c9c9ad2c6c52a4f1463cdb4ec05ad5c66c235a1f7da3a7e39e9d1
Instruction ID: 90caeb077ad6baf0ab23b9a98f579622d2de92f28fb51d477fa6cbc31d59b16f
Opcode Fuzzy Hash: 70392d6e5e0c9c9ad2c6c52a4f1463cdb4ec05ad5c66c235a1f7da3a7e39e9d1
Instruction Fuzzy Hash: EF1159B29046446BCB10DF5DCC02B96739CE744710F04461AF998A73C1EB35A901D792

Uniqueness

Uniqueness Score: -1.00%

Function 00F18E8F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(200B473F,00000000,00000000,?), ref: 00F18EF2

Part of subcall function 00F1EC43: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00F1A854,?,00000000,-00000008), ref: 00F1ECA4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00F19144
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00F1918A
GetLastError.KERNEL32 ref: 00F1922D

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: e932309d9084d4854d4d9455985d1f467b889794c82efe5f262fa3ab53693b85
Instruction ID: 20b43516eaff8c362dd043f5227dfc3649131f47e9b07f3ba657bd2270b53b90
Opcode Fuzzy Hash: e932309d9084d4854d4d9455985d1f467b889794c82efe5f262fa3ab53693b85
Instruction Fuzzy Hash: 53D19E75D04248AFCF15CFA8C894AEDBBB5FF09310F24456AE45AEB341D770A982DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00F26D22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000), ref: 00F26D39
GetLastError.KERNEL32(?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000,?,?,?,00F1985B,?), ref: 00F26D45

Part of subcall function 00F26D0B: CloseHandle.KERNEL32(FFFFFFFE,00F26D55,?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000,?,?), ref: 00F26D1B

___initconout.LIBCMT ref: 00F26D55

Part of subcall function 00F26CCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00F26CFC,00F23DA9,?,?,00F19281,?,00000000,00000000,?), ref: 00F26CE0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00F23DBC,?,00000001,?,?,?,00F19281,?,00000000,00000000,?), ref: 00F26D6A

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: a0f206abd5ceafdc87b7dc2b229ca4b9420c3302b91b56fe9b638eb50be51c6a
Instruction ID: 3a82a8ffe762f2f7baecbf4788d4fbf284e58c6e0228861067fa4e0c52f170e9
Opcode Fuzzy Hash: a0f206abd5ceafdc87b7dc2b229ca4b9420c3302b91b56fe9b638eb50be51c6a
Instruction Fuzzy Hash: 80F01C36640128FBCF332F91EC09A8A3F66EF083B1B104410FA4886520DA3B8C20EB91

Uniqueness

Uniqueness Score: -1.00%

Function 00ED36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00ED3819
___std_exception_destroy.LIBVCRUNTIME ref: 00ED38F0

Strings

), xrefs: 00ED37ED, 00ED38EA

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )
API String ID: 2970364248-2934624886
Opcode ID: 690992b9fb7fc030c413dd110f1592885bfeed35f2f022f262cd3408bb90ecc9
Instruction ID: a645ee4dc1952db3092bcdd9601d6ca00439c0f5d8580dc55351a859b45b2cd5
Opcode Fuzzy Hash: 690992b9fb7fc030c413dd110f1592885bfeed35f2f022f262cd3408bb90ecc9
Instruction Fuzzy Hash: 9B6189B1C00258DFDB14CF98C844B9EFBB4FF18324F14825AE854AB682D7B95A44DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00ED499F

Part of subcall function 00F051EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00F01CF9,?,010469D8,76A923A0,?,76A923A0,-01056880), ref: 00F0524B

Strings

ios_base::failbit set, xrefs: 00ED4828
ios_base::badbit set, xrefs: 00ED4937, 00ED4962

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: b30f2f758f312465200f7dfc3edf6df6abfd946130e97f4d5d38bf436c9a2dee
Instruction ID: f1016421078fa87aebf298ce0fc182b9d53d5c1721b6ae68ffea73f2932dbdc4
Opcode Fuzzy Hash: b30f2f758f312465200f7dfc3edf6df6abfd946130e97f4d5d38bf436c9a2dee
Instruction Fuzzy Hash: E04101B1900248AFCB04DF58CC46BAEBBF8EB45710F14825EF454AB3C1DB759A01DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00ED4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ED40C4

Strings

bad locale name, xrefs: 00ED40E6

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: a4323d80c2f3f878d8607007f3c8d0273f474ab8a97b616f079a961b875ad446
Instruction ID: 03393dcda8d14f95586f437f9f0c73e478f8acca2f641cbce3370ee6c7b4e0c3
Opcode Fuzzy Hash: a4323d80c2f3f878d8607007f3c8d0273f474ab8a97b616f079a961b875ad446
Instruction Fuzzy Hash: 3511D370805B84DED321CF68C90474BFFF4AF15714F14869DD09597B81D3B99A04D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00EE6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00EE65C9
___std_exception_copy.LIBVCRUNTIME ref: 00EE65FC

Strings

), xrefs: 00EE65BA, 00EE65ED

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )
API String ID: 2659868963-2934624886
Opcode ID: 814757037e5f316fe91600d1ef4577688e506ef0c6d66e8de91419e7252f90d5
Instruction ID: c3297941a8f8a9d42346c601b1068b77b4a50fdfc63bfab80b5ecac96ef49866
Opcode Fuzzy Hash: 814757037e5f316fe91600d1ef4577688e506ef0c6d66e8de91419e7252f90d5
Instruction Fuzzy Hash: B51130B5900758EFCB15CF99C980B86FBF8FF49720F10876AE9549BA41E774A540CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00ED7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00ED7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 00ED7A72

Strings

), xrefs: 00ED7A52, 00ED7A6C

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )
API String ID: 4194217158-2934624886
Opcode ID: 1f99f551c34034b1f3218ab23cae7dfd7684354d85880b8ee9bf81f168cb77f8
Instruction ID: 367f46a82ea203d57119bbff54ca0261c53fa8e0e00526900dcad18e8e68e5f4
Opcode Fuzzy Hash: 1f99f551c34034b1f3218ab23cae7dfd7684354d85880b8ee9bf81f168cb77f8
Instruction Fuzzy Hash: 97F06DB1805758EFC710DF98C90178DBBF8EB05B24F50066AE864A3780D77966048BA1

Uniqueness

Uniqueness Score: -1.00%

Function 00F0360D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00F03067,?,?,?,?,00F951DF), ref: 00F03645
GetSystemTimeAsFileTime.KERNEL32(?,200B473F,00000000,?,0101E6F2,000000FF,?,00F03067,?,?,?,?,00F951DF), ref: 00F03649

Strings

`-, xrefs: 00F0363F

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-
API String ID: 743729956-2038111592
Opcode ID: e408632424cae917eb82a7aaa64d2c77d78a76ca8d5cccae0efe7ceba3780cb6
Instruction ID: dd412f006dbc54d6c2dd8197b1f0f2c4cf77b5851c1838746c249d93f524b7b9
Opcode Fuzzy Hash: e408632424cae917eb82a7aaa64d2c77d78a76ca8d5cccae0efe7ceba3780cb6
Instruction Fuzzy Hash: BCF0E532A04664EFC7228F54E800F5EB7A8FB08F60F10412AE812D7784CB7AA900DF80

Uniqueness

Uniqueness Score: -1.00%

Function 00F1B7E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,00F089C2,00000001,00000016,00F08BD1,?,?,?,?,?,00000000), ref: 00F1B826

Strings

`-, xrefs: 00F1B816
InitializeCriticalSectionEx, xrefs: 00F1B7F6

Memory Dump Source

Source File: 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, Offset: 00ED0000, based on PE: true

Associated: 00000007.00000002.3549690908.0000000000ED0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001052000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549710928.0000000001062000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.000000000106C000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001071000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3549931920.0000000001074000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.00000000011C1000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001250000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.0000000001568000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3550023689.000000000180D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_ed0000_MPGPH131.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-
API String ID: 2593887523-2357131798
Opcode ID: 4bac6ec2d35737975f50f0c4d152465a7e01afdb46711eb89938686d23307b29
Instruction ID: 75df097798edd60650b3bbbc97edb11a6f3aff24193b1abb626c6bbced84df7f
Opcode Fuzzy Hash: 4bac6ec2d35737975f50f0c4d152465a7e01afdb46711eb89938686d23307b29
Instruction Fuzzy Hash: 25E09232681228FBCB312E51DC05EEE7F16EF08B70F008024F9195A521CBB65862FBD0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RageMP131.exePID: 2724, Parent PID: 1028COMMON

Executed Functions

Function 00894EB0 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003D0,0000FFFF,00001006,?,00000008), ref: 00894F56
recv.WS2_32(?,00000004,00000002), ref: 00894F71
WSAGetLastError.WS2_32 ref: 00894F75
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00894FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00895014
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 008950B0
recv.WS2_32(00000000,?,00000008), ref: 008950CB

Part of subcall function 00895940: WSAStartup.WS2_32 ref: 0089596A
Part of subcall function 00895940: getaddrinfo.WS2_32(?,?,?,00956328), ref: 008959EC
Part of subcall function 00895940: socket.WS2_32(?,?,?), ref: 00895A0D
Part of subcall function 00895940: connect.WS2_32(00000000,00926B31,?), ref: 00895A21
Part of subcall function 00895940: closesocket.WS2_32(00000000), ref: 00895A2D
Part of subcall function 00895940: FreeAddrInfoW.WS2_32(?), ref: 00895A3A
Part of subcall function 00895940: WSACleanup.WS2_32 ref: 00895A40

recv.WS2_32(?,00000004,00000008), ref: 008951D3
__Xtime_get_ticks.LIBCPMT ref: 008951DA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008951E8
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00895261
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00895269

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: recv$Sleepsetsockopt$AddrCleanupErrorFreeInfoLastStartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectgetaddrinfosocket
String ID:
API String ID: 3089209366-0
Opcode ID: 1b7ddc9fbf883da0edb6a7def89b5196b10e1121c07cd45aa46b28c447499ad9
Instruction ID: 6e86e9e7226468afdd66fd0cc0e27f825b3e493c99c5dd631237143dcab97fbd
Opcode Fuzzy Hash: 1b7ddc9fbf883da0edb6a7def89b5196b10e1121c07cd45aa46b28c447499ad9
Instruction Fuzzy Hash: B9B1A971D14308DFEB21EFA8DC49BADBBB1FB45310F244219E454AB2E2D7745984DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00895940 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0089596A
getaddrinfo.WS2_32(?,?,?,00956328), ref: 008959EC
socket.WS2_32(?,?,?), ref: 00895A0D
connect.WS2_32(00000000,00926B31,?), ref: 00895A21
closesocket.WS2_32(00000000), ref: 00895A2D
FreeAddrInfoW.WS2_32(?), ref: 00895A3A
WSACleanup.WS2_32 ref: 00895A40
FreeAddrInfoW.WS2_32(?), ref: 00895A55

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: AddrFreeInfo$CleanupStartupclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 448659506-0
Opcode ID: 25a1c611f5687a25a4a822b714b17a903dcc48d16fcf41c6c17c231859bfdf43
Instruction ID: 336365447e4156bdf3345bdc5744a15cace43b23a0d66271664081053ee80302
Opcode Fuzzy Hash: 25a1c611f5687a25a4a822b714b17a903dcc48d16fcf41c6c17c231859bfdf43
Instruction Fuzzy Hash: FB31D0325087109FDB21EF64DC84A6ABBE5FB84734F14071DF8A5D32E0D73098059B96

Uniqueness

Uniqueness Score: -1.00%

Function 007D9280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,0091A4DC,00000000,76A923A0,-00956880), ref: 007D96A6
GetProcAddress.KERNEL32(00000000,?), ref: 007D96B4
WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0091A4DC,00000000,76A923A0,-00956880), ref: 007D96C9

Strings

4oST, xrefs: 007D962C
Ws2_32.dll, xrefs: 007D969A
4oST, xrefs: 007D9660

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: AddressHandleModuleProcSend
String ID: 4oST$4oST$Ws2_32.dll
API String ID: 2819740048-1839276265
Opcode ID: 106db1294e063374b3fae26b1ac27230dbbbc6077db979c6e8379a9026ba52c4
Instruction ID: be2180a1b7ed132c82aeb594269f9aa2f99de3817db59004f6f6611865787bb5
Opcode Fuzzy Hash: 106db1294e063374b3fae26b1ac27230dbbbc6077db979c6e8379a9026ba52c4
Instruction Fuzzy Hash: 0F02E070E04288DFDF25CFA4C8907EDBBB0FF55314F24429AE4896B686D7741986CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00819779 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00818E8F: GetConsoleOutputCP.KERNEL32(2784C555,00000000,00000000,?), ref: 00818EF2

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008198FE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?), ref: 00819908

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 048912398b30d9ac83e6426d764ab1423c094a4bd6d574c14d858dbea16cb1fa
Instruction ID: b2e3769e4d112b6cab075fe07ec3df52136722792741f55fd229e7b63727c57c
Opcode Fuzzy Hash: 048912398b30d9ac83e6426d764ab1423c094a4bd6d574c14d858dbea16cb1fa
Instruction Fuzzy Hash: C961AF72C14209ABDF118FA8C854AEEBFBDFF09318F140159E984E7252D332D981CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00818DEF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00818CD6,00000000,?,00947178,0000000C,00818D92,?,?,?), ref: 00818E45
GetLastError.KERNEL32(?,00818CD6,00000000,?,00947178,0000000C,00818D92,?,?,?), ref: 00818E4F

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: fe91adaf6e493d62f46b4e224fd9d622174d3db2a396129014046f136bc55219
Instruction ID: 89a5c868a2c7fd8c84a962af377bbe7b6366fee6294aaf6461df1058b7e40b1d
Opcode Fuzzy Hash: fe91adaf6e493d62f46b4e224fd9d622174d3db2a396129014046f136bc55219
Instruction Fuzzy Hash: 621108337142149ACA252638AC4BBEE6B4DFF82734F290659FD18D71D2DF219CC18292

Uniqueness

Uniqueness Score: -1.00%

Function 0081250C Relevance: 3.1, APIs: 2, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00812616,?,?,?,?,?), ref: 00812548
GetLastError.KERNEL32(?,?,?,?,00812616,?,?,?,?,?,00000000,?,00000000), ref: 00812555

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 997804704bfaa272cef691742ff6a32b585054e4a32e56ae1b2b78af1df34299
Instruction ID: 3bba7553e9e58b7c5ef6f47585c63d2c6f443b44533566bd43e33da8ac780972
Opcode Fuzzy Hash: 997804704bfaa272cef691742ff6a32b585054e4a32e56ae1b2b78af1df34299
Instruction Fuzzy Hash: 8001A133614219AFCF058F59DC559DA3B2EEF85324B240208F811DB291E671E9A2DB90

Uniqueness

Uniqueness Score: -1.00%

Function 007D32D0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 007D331F

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction ID: bea65e72d45d46e7c162c74e29012c09cc626ba225c725f61120c3324b9872ea
Opcode Fuzzy Hash: 88e0f75f83d5f9e69285ef2088a1dfdc1055322beeb667a90db4e8c6ac7f301f
Instruction Fuzzy Hash: 42F0B4721001049BDB146F68D9158E9B3F8EF243A1710097BE89DD7362EB2ADA518792

Uniqueness

Uniqueness Score: -1.00%

Function 0081A64C Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001), ref: 0081A68D

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 294c59123d40f5ad6bbfbdb2565f10badd70ac09e808d83027d683b215f807f8
Instruction ID: 045f11d99f738d43e69370e8c3105f5748dd0aefbbaeb6fa073cc496f1d89b70
Opcode Fuzzy Hash: 294c59123d40f5ad6bbfbdb2565f10badd70ac09e808d83027d683b215f807f8
Instruction Fuzzy Hash: 12F0B4762166256B9B2A6B66DC05AEA374DFF61770F1D4111A808EA190DA34DC8086E3

Uniqueness

Uniqueness Score: -1.00%

Function 0081B086 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?), ref: 0081B0B8

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4e6613db3e9c2cb822d229d8a2bbc9c0554def66414f3c5a2044debd6f3076f3
Instruction ID: fbb3efddbc8482f89436e33f8860afaa7fcf585d24d75a1322183a48dfaa3d2a
Opcode Fuzzy Hash: 4e6613db3e9c2cb822d229d8a2bbc9c0554def66414f3c5a2044debd6f3076f3
Instruction Fuzzy Hash: D1E03032155E246BEA3137769C05BDB364DFF457A0F150161ED25D70D1DB258CC092E2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0089C630 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 240injectionmemorysynchronizationCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(00000000,00000000,?,00003000,00000040), ref: 0089C6A1
WriteProcessMemory.KERNEL32(00000000,00000000,?,?,00000000), ref: 0089C6BD
WriteProcessMemory.KERNEL32(?,?,?,?,00000000), ref: 0089C6F2
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040), ref: 0089C71B
WriteProcessMemory.KERNEL32(?,00000000,?,00000218,00000000), ref: 0089C8BF
WriteProcessMemory.KERNEL32(?,00000218,0089C990,-00000010,00000000), ref: 0089C8E1
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000218,00000000,00000000,00000000), ref: 0089C8F4
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0089C8FD

Strings

131, xrefs: 0089C883, 0089C893
%s|%s, xrefs: 0089C89F
4oST, xrefs: 0089C7D2

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: MemoryProcessWrite$AllocVirtual$CreateObjectRemoteSingleThreadWait
String ID: %s|%s$131$4oST
API String ID: 2137838514-1634972829
Opcode ID: 81b8390d0415907fab83b6cb263bb0acf9cd9b7e562509221941a8c2d4ea3612
Instruction ID: 46da1f73b6e19bb471609888f761cf37dfa15b8874074d1a8c5cbfdf4b4f5326
Opcode Fuzzy Hash: 81b8390d0415907fab83b6cb263bb0acf9cd9b7e562509221941a8c2d4ea3612
Instruction Fuzzy Hash: B7B18AB1D00208DFDB14CFA8CC85BAEBBB4FF48300F144259E919AB291D775AA45DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 008232E1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002,00000000,?,?,?,008235F3,?,?), ref: 0082337A
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,?,008235F3,?,?), ref: 008233A3
GetACP.KERNEL32(?,?,008235F3,?,?), ref: 008233B8

Strings

ACP, xrefs: 008232FF
OCP, xrefs: 00823335

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 40bf63b525b9dbf59ddf67b33ff45fd3419bbcfac6487e15173fd5d3ac6aff46
Instruction ID: c7a3183bafc02342f29cbc167ee956e8bf18c278a50e4c9d950a0f90b04f41a5
Opcode Fuzzy Hash: 40bf63b525b9dbf59ddf67b33ff45fd3419bbcfac6487e15173fd5d3ac6aff46
Instruction Fuzzy Hash: 18219262604128EAD734CB19F929A9AB3A6FB50B54B568424E905D7304EF36DFC1D350

Uniqueness

Uniqueness Score: -1.00%

Function 008234BD Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00819E32: GetLastError.KERNEL32(00000000,?,0081F819), ref: 00819E36
Part of subcall function 00819E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 00819ED8

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 008235C5
IsValidCodePage.KERNEL32(?), ref: 00823603
IsValidLocale.KERNEL32(?,00000001), ref: 00823616
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0082365E
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00823679

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: aa5a0e391c0aecdd025c04c2d08665a61cb2b4df25685d2e1d496c3fdcb1f13b
Instruction ID: ecaef8d07c1307a5234e8b56a0905f4b4e3dabeed2a2d7b3a736ce15233a949f
Opcode Fuzzy Hash: aa5a0e391c0aecdd025c04c2d08665a61cb2b4df25685d2e1d496c3fdcb1f13b
Instruction Fuzzy Hash: D751AF72A00229ABDB10DFA9EC55ABE77B8FF18700F140469F914E7191EB74DB80DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00822B48 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 254COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00819E32: GetLastError.KERNEL32(00000000,?,0081F819), ref: 00819E36
Part of subcall function 00819E32: SetLastError.KERNEL32(00000000,00000000,00000001,00000007,000000FF), ref: 00819ED8

GetACP.KERNEL32(?,?,?,?,?,?,008172F0,?,?,?,?,?,-00000050,?,?,?), ref: 00822C07
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,008172F0,?,?,?,?,?,-00000050,?,?), ref: 00822C3E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00822DA1

Strings

utf8, xrefs: 00822D10

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: ac1b5b10c652016bb6726689f390f37803c966597a33088726cfd11d84f5028f
Instruction ID: 899a81144f78b3deadadc74141b71e2c42daac278dbe52c13da6525518c9e587
Opcode Fuzzy Hash: ac1b5b10c652016bb6726689f390f37803c966597a33088726cfd11d84f5028f
Instruction Fuzzy Hash: 3971073560032ABAEB24AF78EC42BBA73A8FF44710F14456AF905D7181EB74E9C08761

Uniqueness

Uniqueness Score: -1.00%

Function 0080C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: 37b13d2947d0ae4d9b960dddcee344b0124cac8afd6d72191613fd7506bd202f
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: 7F021B71E012199FDF54CFA9DD806AEBBF1FF48314F248269E919E7381D731AA418B90

Uniqueness

Uniqueness Score: -1.00%

Function 008279D3 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 008279EC

Strings

`-}, xrefs: 00827AB6, 00827B60, 00827BA6
asin, xrefs: 00827B19
pow, xrefs: 00827A8A, 00827B34, 00827B81
log10, xrefs: 00827A2E, 00827A3D
acos, xrefs: 00827B22
sqrt, xrefs: 00827B2B
log, xrefs: 00827A49, 00827A58
exp, xrefs: 00827A6B, 00827AD0

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: DecodePointer
String ID: `-}$acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-4286532426
Opcode ID: cc40d8cafd56698bccec07c13221e873dad02deae3e1c87e06fad03d7aaf2697
Instruction ID: f7edd78f32b6013c6ebdde94fc670d1bc3537dc8346dc1146144c55093396c7f
Opcode Fuzzy Hash: cc40d8cafd56698bccec07c13221e873dad02deae3e1c87e06fad03d7aaf2697
Instruction Fuzzy Hash: F2519D7190863ECBDF149F6AF8881ADBFB0FF05324F544185D482E72A8C7748AA98B55

Uniqueness

Uniqueness Score: -1.00%

Function 007EA060 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007EA09D
std::_Lockit::_Lockit.LIBCPMT ref: 007EA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 007EA0E7
__Getctype.LIBCPMT ref: 007EA1C5
std::_Facet_Register.LIBCPMT ref: 007EA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 007EA223

Strings

E}, xrefs: 007EA1AE
PD}, xrefs: 007EA19A
PG}, xrefs: 007EA1BF

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID: PD}$PG}$E}
API String ID: 1102183713-2277173291
Opcode ID: c86a0db291ae0da2adb011635d6b48d9ce63847062f1ae3cdaab5fcd781ef7b4
Instruction ID: 7c5b70fbe05a1a466483aac5855022da61021467fb61eb58c0938c0dc9da154b
Opcode Fuzzy Hash: c86a0db291ae0da2adb011635d6b48d9ce63847062f1ae3cdaab5fcd781ef7b4
Instruction Fuzzy Hash: D451B7B0D01389DBCB20CF59C94579EBBF4FB14310F148259E845AB392E7B8AE44CB92

Uniqueness

Uniqueness Score: -1.00%

Function 008072C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008072F7
___except_validate_context_record.LIBVCRUNTIME ref: 008072FF
_ValidateLocalCookies.LIBCMT ref: 00807388
__IsNonwritableInCurrentImage.LIBCMT ref: 008073B3
_ValidateLocalCookies.LIBCMT ref: 00807408

Strings

`-}, xrefs: 008073CC
csm, xrefs: 0080739D

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: `-}$csm
API String ID: 1170836740-3222909650
Opcode ID: 5d9ad308ff68efce409bba6c44b23a4fa96847bc26f3e256cd73b3474db45973
Instruction ID: 871731b281e40e72021002f7cadeec4e74f313da4ae43c1713a1a10a7a196a25
Opcode Fuzzy Hash: 5d9ad308ff68efce409bba6c44b23a4fa96847bc26f3e256cd73b3474db45973
Instruction Fuzzy Hash: DA41BD30E05209ABDF50DF68CC80A9EBBA5FF44318F558055EC18DB3D2DB31A945DB92

Uniqueness

Uniqueness Score: -1.00%

Function 007EC430 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007EC45A
std::_Lockit::_Lockit.LIBCPMT ref: 007EC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 007EC4A4
std::_Facet_Register.LIBCPMT ref: 007EC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 007EC5C4

Strings

PD}, xrefs: 007EC54E
E}, xrefs: 007EC562

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID: E}$PD}
API String ID: 459529453-4115384346
Opcode ID: 56893a5eae37edcbfe189891c739a88a95edcc1777d027bf78a17972d62bc846
Instruction ID: 31d88aa82b6ca9c42647f945801569511cad3d53e11599f29ecd25e98318b977
Opcode Fuzzy Hash: 56893a5eae37edcbfe189891c739a88a95edcc1777d027bf78a17972d62bc846
Instruction Fuzzy Hash: 5751D0B0901394DFDB12DF58C858BAEBBF0FB05314F248159E845AB391D7B9AA06CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0081BB58 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0081BBDE

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction ID: f5f06afb7bbefee7a0e7a8d5e454e59f34b5e13b4c033d5c598e6b7a596f419f
Opcode Fuzzy Hash: 88e4da6258101c5fc24b34185784eb547dfa0330ad300027970d950eece25734
Instruction Fuzzy Hash: EFB16532A003659FDB258F68DC82BEE7BA9FF19310F144165E904EB282D774D981C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0081B370 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0081B47F,?,?,00000000,00000001,?,?,0081B6A9,00000022,FlsSetValue,0092EB88,0092EB90,00000001), ref: 0081B431

Strings

ext-ms-, xrefs: 0081B3DB
api-ms-, xrefs: 0081B3C7

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 55c29efc1604dc9d4ba5e3f95040bdaf1ccc9b671dd6953d67f427d23e8d7ee9
Instruction ID: b1971dba9b28e0398cc906efc93cb3b02ef51e2402de2f699af77d0bff2d7c41
Opcode Fuzzy Hash: 55c29efc1604dc9d4ba5e3f95040bdaf1ccc9b671dd6953d67f427d23e8d7ee9
Instruction Fuzzy Hash: EF216632A15221BBCB319B25EC41EDA375CFF41360F244220F815E7292DB30EE91D6D1

Uniqueness

Uniqueness Score: -1.00%

Function 00813623 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2784C555,?,?,00000000,0091E6D5,000000FF,?,008135FF,?,?,008135D3,00000016), ref: 00813658
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0081366A
FreeLibrary.KERNEL32(00000000,?,00000000,0091E6D5,000000FF,?,008135FF,?,?,008135D3,00000016), ref: 0081368C

Strings

`-}, xrefs: 0081367B
CorExitProcess, xrefs: 00813662
mscoree.dll, xrefs: 00813651

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$`-}$mscoree.dll
API String ID: 4061214504-2653274339
Opcode ID: a62ba6d38f93beb3fbe248c0f801f6f5bf24137e24c01e278e58c947faa14e42
Instruction ID: 03177c568388cc930c78dc77d8c7331b785980c62de31af26102d18af30f87e6
Opcode Fuzzy Hash: a62ba6d38f93beb3fbe248c0f801f6f5bf24137e24c01e278e58c947faa14e42
Instruction Fuzzy Hash: 7601A732958729EFCB118F54DC09FAEB7B8FB44B55F004125F811E22D0DB749A00DA40

Uniqueness

Uniqueness Score: -1.00%

Function 008952A0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

4oST, xrefs: 0089552A
4oST, xrefs: 008955B5
191.96.150.225, xrefs: 00895328
4oST, xrefs: 00895451

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID:
String ID: 191.96.150.225$4oST$4oST$4oST
API String ID: 0-2793144940
Opcode ID: 0893f863b36c71bfad44d8b15563a56ea730cd3ccc21655829eaccfb02f83f01
Instruction ID: dc492f88a95dd8d523d188030957a19159d869f3537658e921f3c76e52bda5d6
Opcode Fuzzy Hash: 0893f863b36c71bfad44d8b15563a56ea730cd3ccc21655829eaccfb02f83f01
Instruction Fuzzy Hash: C802FF70D05288DFDF11EFA8C9457DDBBB0EB54304F588099D809AB382D7B55E88DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00802719 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00802720
std::_Lockit::_Lockit.LIBCPMT ref: 0080272B
std::_Lockit::~_Lockit.LIBCPMT ref: 00802799

Part of subcall function 0080287C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00802894

std::locale::_Setgloballocale.LIBCPMT ref: 00802746

Strings

`-}, xrefs: 00802768, 0080278C

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID: `-}
API String ID: 677527491-3104327004
Opcode ID: 5cfb0b46e98da6ad9da5f3075b2f2259c9dd45e6453dc8f0a6ec317b86d76d7d
Instruction ID: 7bd2cc3d5b397070b02aecfa5300e5a1bddaf610a9135a9561f094d1be334dc9
Opcode Fuzzy Hash: 5cfb0b46e98da6ad9da5f3075b2f2259c9dd45e6453dc8f0a6ec317b86d76d7d
Instruction Fuzzy Hash: 6801BC76A01A14CBC706EB24DC5957D7BA5FF84780B084059E801973D2CFB4AA42DB82

Uniqueness

Uniqueness Score: -1.00%

Function 00802BB8 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00802BCC
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00802BEB
RtlAcquireSRWLockExclusive.NTDLL(00000008), ref: 00802C19
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00802C74
RtlTryAcquireSRWLockExclusive.NTDLL(00000008), ref: 00802C8B

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: d9ca676c21c6331c38f4e55c8aba283bf1d99197072b1d74da8abf3cf1c04381
Instruction ID: 4260c6b6c5a6eb8fea193fb060f34403357d31d58bc357712a198040c68bc699
Opcode Fuzzy Hash: d9ca676c21c6331c38f4e55c8aba283bf1d99197072b1d74da8abf3cf1c04381
Instruction Fuzzy Hash: 61417C31900A0ADFEB61DF69CC899AEB3F8FF08350B604929E456D7680D7B0F985DB51

Uniqueness

Uniqueness Score: -1.00%

Function 007D7350 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 007D750C
___std_exception_destroy.LIBVCRUNTIME ref: 007D7522

Strings

[json.exception., xrefs: 007D73A1
)}, xrefs: 007D7502, 007D751C

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )}$[json.exception.
API String ID: 4194217158-1226008984
Opcode ID: d6e9d0f24ea6a83ee7719589fcf9ae47bf6bd33e4a47be41c8d1de518d9703b6
Instruction ID: 251aeb26247be8b536f25434d9a59b126d1059f9c21f0dbb69e7fa78b5b670e2
Opcode Fuzzy Hash: d6e9d0f24ea6a83ee7719589fcf9ae47bf6bd33e4a47be41c8d1de518d9703b6
Instruction Fuzzy Hash: 1551D0B1D01388DFDB10DFA8C905B9EBBB4EF15314F144269E850A7382E7B85A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007D4900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 007D499F

Part of subcall function 008051EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00801CF9,?,009469D8,76A923A0,?,76A923A0,-00956880), ref: 0080524B

Strings

ios_base::eofbit set, xrefs: 007D4946
ios_base::failbit set, xrefs: 007D4828, 007D4941
ios_base::badbit set, xrefs: 007D4937, 007D4962

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1903096808-1866435925
Opcode ID: 311a4e745b3264bd14edd23473059c6188eed4b9df1c2d7a59db91108d00a63e
Instruction ID: 1f2160f6564f57ad996757ccf14adc4b7820e1307d0c6687aaa3de45dfcda886
Opcode Fuzzy Hash: 311a4e745b3264bd14edd23473059c6188eed4b9df1c2d7a59db91108d00a63e
Instruction Fuzzy Hash: 40112972904748ABCB20DF5CDC06B9673E8E705710F44462AF958873C1EB39A900CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00818E8F Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(2784C555,00000000,00000000,?), ref: 00818EF2

Part of subcall function 0081EC43: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0081A854,?,00000000,-00000008), ref: 0081ECA4

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00819144
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0081918A
GetLastError.KERNEL32 ref: 0081922D

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: bdfd35a012764c4eead4d657988ccb1037133ac7842f1ac1e7ee1f34b7ade00c
Instruction ID: cb8f6035522fe57171119ff76c5deb10784e12b9d035f84f09c45db53f813f61
Opcode Fuzzy Hash: bdfd35a012764c4eead4d657988ccb1037133ac7842f1ac1e7ee1f34b7ade00c
Instruction Fuzzy Hash: 19D18D75D04248AFCF15CFA8D890AEDBBB9FF09314F14452AE46AEB351D730A982CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00826D22 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,00823DBC,?,00000001,?,?,?,00819281,?,00000000,00000000), ref: 00826D39
GetLastError.KERNEL32(?,00823DBC,?,00000001,?,?,?,00819281,?,00000000,00000000,?,?,?,0081985B,?), ref: 00826D45

Part of subcall function 00826D0B: CloseHandle.KERNEL32(FFFFFFFE,00826D55,?,00823DBC,?,00000001,?,?,?,00819281,?,00000000,00000000,?,?), ref: 00826D1B

___initconout.LIBCMT ref: 00826D55

Part of subcall function 00826CCD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00826CFC,00823DA9,?,?,00819281,?,00000000,00000000,?), ref: 00826CE0

WriteConsoleW.KERNEL32(?,?,?,00000000,?,00823DBC,?,00000001,?,?,?,00819281,?,00000000,00000000,?), ref: 00826D6A

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3758399558b09e963211dc9c059493e0862aa3bfc1f0439e01e941809ed59bb8
Instruction ID: a785ac00e97e683d9c5a37e6101e9bc03234154e2da6b80758b38c25409a0ca6
Opcode Fuzzy Hash: 3758399558b09e963211dc9c059493e0862aa3bfc1f0439e01e941809ed59bb8
Instruction Fuzzy Hash: 88F01C36154128BBCF232F96EC05A893F66FB093B1F004410FA0885120E6328C70EB92

Uniqueness

Uniqueness Score: -1.00%

Function 007D36E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 178COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007D3819
___std_exception_destroy.LIBVCRUNTIME ref: 007D38F0

Strings

)}, xrefs: 007D37ED, 007D38EA

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: )}
API String ID: 2970364248-2919107992
Opcode ID: 4a39e5d9f54204f4c0d16cb89a6e0951a45cd3f8ceffec0c93218835304b0468
Instruction ID: cf594d8c11654f044f00d8b0b635deba04e0c71a9c4ee3d645f6f53c99eb0866
Opcode Fuzzy Hash: 4a39e5d9f54204f4c0d16cb89a6e0951a45cd3f8ceffec0c93218835304b0468
Instruction Fuzzy Hash: 1B619DB1C01258DFDB10CF98C944B9DFBB5FF19324F14825AE814AB382D7B95A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007D47F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 007D499F

Part of subcall function 008051EB: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,76A923A0,?,00801CF9,?,009469D8,76A923A0,?,76A923A0,-00956880), ref: 0080524B

Strings

ios_base::failbit set, xrefs: 007D4828
ios_base::badbit set, xrefs: 007D4937, 007D4962

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ExceptionIos_base_dtorRaisestd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 1903096808-1240500531
Opcode ID: 0d2928967d243fce4bf336f3e240ea6c5f6a324d0f2eeec998090dc20c004bfe
Instruction ID: 64ff476c7935d48d319e17a9c2121cde81ad1a89e16434a68eefd1115195e161
Opcode Fuzzy Hash: 0d2928967d243fce4bf336f3e240ea6c5f6a324d0f2eeec998090dc20c004bfe
Instruction Fuzzy Hash: 9A41F4B2904248AFCB14DF58CD45BAEBBF8EB45710F14825AF554A73C1D779AA00CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007D4040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 007D4061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 007D40C4

Strings

bad locale name, xrefs: 007D40E6

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 38ae728efb838f5447003e4940d1fc9f05f04a125935e21991bedd5858604bb7
Instruction ID: 1c2f9f2ee700e0ac4571dfb49f65f27226b5d49743ca79beabab682e9f59db50
Opcode Fuzzy Hash: 38ae728efb838f5447003e4940d1fc9f05f04a125935e21991bedd5858604bb7
Instruction Fuzzy Hash: ED11EE70805B84EED321CF68C90874BBFF4AF15714F148A9DE48597B81C3B9AA04CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 007E6590 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007E65C9
___std_exception_copy.LIBVCRUNTIME ref: 007E65FC

Strings

)}, xrefs: 007E65BA, 007E65ED

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_copy
String ID: )}
API String ID: 2659868963-2919107992
Opcode ID: 6d976e86ca8c30c8d18303de775d3f95ad1752532075e5b2e84878bedc96cb7c
Instruction ID: dd64e81e10dbbc1724aad559252b3cb10f30899975e00586d835f638a2f38a1d
Opcode Fuzzy Hash: 6d976e86ca8c30c8d18303de775d3f95ad1752532075e5b2e84878bedc96cb7c
Instruction Fuzzy Hash: 031121B6900758EBC711CF99D980B86F7F8FB09720F10875AF914A7641E774A540CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 007D7A20 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 007D7A5C
___std_exception_destroy.LIBVCRUNTIME ref: 007D7A72

Strings

)}, xrefs: 007D7A52, 007D7A6C

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: )}
API String ID: 4194217158-2919107992
Opcode ID: 332c3d28c4ed2ac9f8e7a7c67365e2ee8b81f1c3a0d577561f5766bb820e3f16
Instruction ID: 20b845eed18ebd50a63e56aba05f72fd06c0b1a17c8ae60ae8f1d23b465ece3a
Opcode Fuzzy Hash: 332c3d28c4ed2ac9f8e7a7c67365e2ee8b81f1c3a0d577561f5766bb820e3f16
Instruction Fuzzy Hash: A2F062B1845758DFC710DF98D901B8DBBF8FB05724F500659E414E37C0D3B956048792

Uniqueness

Uniqueness Score: -1.00%

Function 0080360D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00803067,?,?,?,?,008951DF), ref: 00803645
GetSystemTimeAsFileTime.KERNEL32(?,2784C555,00000000,?,0091E6F2,000000FF,?,00803067,?,?,?,?,008951DF), ref: 00803649

Strings

`-}, xrefs: 0080363F

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID: `-}
API String ID: 743729956-3104327004
Opcode ID: caa85f26091462f7806b36a5aeb31f6a8b679efaf3e92bc938f00c878acfefc8
Instruction ID: bfaeac76c23d0c7b56114cb02a22a9d88a76b71cfe726b9348b25528132714bb
Opcode Fuzzy Hash: caa85f26091462f7806b36a5aeb31f6a8b679efaf3e92bc938f00c878acfefc8
Instruction Fuzzy Hash: 38F06533A58A68EFC7119F55DC01B5AB7A8F708F64F004126E812D77D0DB75A900EF80

Uniqueness

Uniqueness Score: -1.00%

Function 0081B7E6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000016,00000001,008089C2,00000001,00000016,00808BD1,?,?,?,?,?,00000000), ref: 0081B826

Strings

`-}, xrefs: 0081B816
InitializeCriticalSectionEx, xrefs: 0081B7F6

Memory Dump Source

Source File: 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, Offset: 007D0000, based on PE: true

Associated: 00000008.00000002.3549393701.00000000007D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000952000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549517968.0000000000962000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.000000000096C000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000971000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3549900407.0000000000974000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000B50000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.0000000000E68000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3550040233.000000000110D000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_7d0000_RageMP131.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$`-}
API String ID: 2593887523-2593076690
Opcode ID: d62148dab846216d076095f9e48c2208355996cb7f9aa8effb3b97f757e184c0
Instruction ID: b4eb87ed629b8f3f8072f3e3c71ba3dddd4acb95d45cca12d5a9179138f178a2
Opcode Fuzzy Hash: d62148dab846216d076095f9e48c2208355996cb7f9aa8effb3b97f757e184c0
Instruction Fuzzy Hash: 74E0ED32581268BBCB216F95AC05EAE7F1AEF48BA1B048030F91995161C7724962ABD5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Function 00125940 Relevance: 12.1, APIs: 8, Instructions: 92
networkCOMMON

Function 00124EB0 Relevance: 18.3, APIs: 12, Instructions: 279
networksleepCOMMON

Function 00069280 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 382
libraryloadernetworkCOMMON

Function 000A8900 Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Function 001252A0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 399
COMMON

Function 00144050 Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Function 000A9779 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMON

Function 000A8DEF Relevance: 3.1, APIs: 2, Instructions: 63
COMMON

Function 000A250C Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Function 000AB00C Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 00098DF2 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Function 00089E20 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre